From c671622ba514c8d9158c6d93fac5701d96bf5d7e Mon Sep 17 00:00:00 2001 From: jagathprakash <31057312+jagathprakash@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:13:28 -0400 Subject: [PATCH] Breaking down PR #4759 originally proposed by @pxp928 to address TEP-0089 according @lumjjb suggestions. Plan for breaking down PR is PR 1.1: api PR 1.2: entrypointer (+cmd line + test/entrypointer) Entrypoint takes results and signs the results (termination message). PR 1.3: reconciler + pod + cmd/controller + integration tests Controller will verify the signed result. This commit corresponds to 1.3 above. --- cmd/imagedigestexporter/main.go | 23 +- config/config-feature-flags.yaml | 5 + config/config-spire.yaml | 49 +++ config/controller.yaml | 2 + docs/spire.md | 273 ++++++++++++ .../v1beta1/pipelineruns/4808-regression.yaml | 2 +- hack/update-codegen.sh | 5 + pkg/apis/config/feature_flags.go | 37 +- pkg/apis/config/feature_flags_test.go | 17 +- pkg/apis/config/spire_config.go | 83 ++++ pkg/apis/config/spire_config_test.go | 70 +++ pkg/apis/config/store.go | 11 + pkg/apis/config/store_test.go | 12 +- .../config/testdata/config-spire-empty.yaml | 29 ++ pkg/apis/config/testdata/config-spire.yaml | 31 ++ .../testdata/feature-flags-all-flags-set.yaml | 2 +- ...ds-overrides-bundles-and-custom-tasks.yaml | 2 +- ...gs-enforce-nonfalsifiability-bad-flag.yaml | 7 + ...lags-enforce-nonfalsifiability-spire.yaml} | 2 +- pkg/pod/pod.go | 38 +- pkg/pod/pod_test.go | 233 +++++++++- pkg/pod/status.go | 93 +++- pkg/pod/status_test.go | 405 +++++++++++++++++- pkg/reconciler/taskrun/controller.go | 5 +- .../taskrun/resources/image_exporter.go | 18 +- .../taskrun/resources/image_exporter_test.go | 170 +++++++- pkg/reconciler/taskrun/taskrun.go | 30 +- pkg/reconciler/taskrun/taskrun_test.go | 180 +++++--- pkg/spire/config/config.go | 3 +- pkg/spire/config/zz_generated.deepcopy.go | 38 ++ pkg/spire/controller.go | 24 +- pkg/spire/spire_test.go | 25 ++ test/controller.go | 11 +- test/controller_test.go | 4 + test/e2e-common.sh | 59 +++ test/e2e-tests.sh | 16 + test/embed_test.go | 16 +- test/entrypoint_test.go | 15 +- test/featureflags.go | 63 +-- test/helm_task_test.go | 17 +- test/hermetic_taskrun_test.go | 20 +- test/ignore_step_error_test.go | 11 +- test/init_test.go | 23 + test/kaniko_task_test.go | 10 +- test/pipelinefinally_test.go | 91 +++- test/pipelinerun_test.go | 40 +- test/status_test.go | 26 +- test/taskrun_test.go | 126 +++++- .../patch/pipeline-controller-spire.json | 56 +++ test/testdata/spire/config-spire.yaml | 17 + test/testdata/spire/spiffe-csi-driver.yaml | 20 + test/testdata/spire/spire-agent.yaml | 208 +++++++++ test/testdata/spire/spire-server.yaml | 211 +++++++++ 53 files changed, 2836 insertions(+), 148 deletions(-) create mode 100644 config/config-spire.yaml create mode 100644 docs/spire.md create mode 100644 pkg/apis/config/spire_config.go create mode 100644 pkg/apis/config/spire_config_test.go create mode 100644 pkg/apis/config/testdata/config-spire-empty.yaml create mode 100644 pkg/apis/config/testdata/config-spire.yaml create mode 100644 pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-bad-flag.yaml rename pkg/apis/config/testdata/{feature-flags-enable-spire.yaml => feature-flags-enforce-nonfalsifiability-spire.yaml} (72%) create mode 100644 pkg/spire/config/zz_generated.deepcopy.go create mode 100644 test/testdata/patch/pipeline-controller-spire.json create mode 100644 test/testdata/spire/config-spire.yaml create mode 100644 test/testdata/spire/spiffe-csi-driver.yaml create mode 100644 test/testdata/spire/spire-agent.yaml create mode 100644 test/testdata/spire/spire-server.yaml diff --git a/cmd/imagedigestexporter/main.go b/cmd/imagedigestexporter/main.go index 33496dab427..6bd4e2f4a52 100644 --- a/cmd/imagedigestexporter/main.go +++ b/cmd/imagedigestexporter/main.go @@ -17,9 +17,12 @@ limitations under the License. package main import ( + "context" "encoding/json" "flag" + "github.com/tektoncd/pipeline/pkg/spire" + "github.com/tektoncd/pipeline/pkg/spire/config" "github.com/tektoncd/pipeline/pkg/termination" "knative.dev/pkg/logging" @@ -31,9 +34,12 @@ import ( var ( images = flag.String("images", "", "List of images resources built by task in json format") terminationMessagePath = flag.String("terminationMessagePath", "/tekton/termination", "Location of file containing termination message") + enableSpire = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification") + socketPath = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.") ) -/* The input of this go program will be a JSON string with all the output PipelineResources of type +/* +The input of this go program will be a JSON string with all the output PipelineResources of type Image, which will include the path to where the index.json file will be located. The program will read the related index.json file(s) and log another JSON string including the name of the image resource and the digests. @@ -76,6 +82,21 @@ func main() { } + if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" { + ctx := context.Background() + spireConfig := config.SpireConfig{ + SocketPath: *socketPath, + } + + spireWorkloadAPI := spire.NewEntrypointerAPIClient(&spireConfig) + signed, err := spireWorkloadAPI.Sign(ctx, output) + if err != nil { + logger.Fatal(err) + } + + output = append(output, signed...) + } + if err := termination.WriteMessage(*terminationMessagePath, output); err != nil { logger.Fatalf("Unexpected error writing message %s to %s", *terminationMessagePath, err) } diff --git a/config/config-feature-flags.yaml b/config/config-feature-flags.yaml index 01ac93e7703..cb059014fe4 100644 --- a/config/config-feature-flags.yaml +++ b/config/config-feature-flags.yaml @@ -97,3 +97,8 @@ data: # Acceptable values are "v1beta1" and "v1alpha1". # The default is "v1alpha1". custom-task-version: "v1alpha1" + # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance. + # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance. + # If set to "none", then Tekton will not have non-falsifiable provenance. + # This is an experimental feature and thus should still be considered an alpha feature. + enforce-nonfalsifiablity: "none" diff --git a/config/config-spire.yaml b/config/config-spire.yaml new file mode 100644 index 00000000000..726d5ade916 --- /dev/null +++ b/config/config-spire.yaml @@ -0,0 +1,49 @@ +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-spire + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # + # spire-trust-domain specifies the SPIRE trust domain to use. + # spire-trust-domain: "example.org" + # + # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API. + # spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock" + # + # spire-server-addr specifies the SPIRE server address for workload/node registration. + # spire-server-addr: "spire-server.spire.svc.cluster.local:8081" + # + # spire-node-alias-prefix specifies the SPIRE node alias prefix to use. + # spire-node-alias-prefix: "/tekton-node/" diff --git a/config/controller.yaml b/config/controller.yaml index 832c7242633..83d561d6c60 100644 --- a/config/controller.yaml +++ b/config/controller.yaml @@ -117,6 +117,8 @@ spec: value: feature-flags - name: CONFIG_LEADERELECTION_NAME value: config-leader-election + - name: CONFIG_SPIRE + value: config-spire - name: CONFIG_TRUSTED_RESOURCES_NAME value: config-trusted-resources - name: SSL_CERT_FILE diff --git a/docs/spire.md b/docs/spire.md new file mode 100644 index 00000000000..95ae78e5b8c --- /dev/null +++ b/docs/spire.md @@ -0,0 +1,273 @@ + +# TaskRun Result Attestations + +TaskRun result attestations is currently an alpha experimental feature. + +The TaskRun result attestations feature provides the first part of non-falsifiable provenance to the build processes that run in the pipeline. They ensure that the results of the tekton pipeline executions originate from the build workloads themselves and that they have not been tampered with. The second part of non-falsifiable provenance is to ensure that no third party interfered with the build process. Using SPIRE, the TaskRun status is monitored for any activity or change not performed by the Tekton Pipeline Controller. If an unauthorized change is detected, it will invalidate the TaskRun. + +When the TaskRun result attestations feature is enabled, all TaskRuns will produce a signature alongside its results, which can then be used to validate its provenance. For example, a TaskRun result that creates user-specified results `commit` and `url` would look like the following. `SVID`, `RESULT_MANIFEST`, `RESULT_MANIFEST.sig`, `commit.sig` and `url.sig` are generated attestations by the integration of SPIRE and Tekton Controller. + +Parsed, the fields would be: +``` +... + +... +πŸ“ Results + + NAME VALUE + βˆ™ RESULT_MANIFEST commit,url,SVID,commit.sig,url.sig + βˆ™ RESULT_MANIFEST.sig MEUCIQD55MMII9SEk/esQvwNLGC43y7efNGZ+7fsTdq+9vXYFAIgNoRW7cV9WKriZkcHETIaAKqfcZVJfsKbEmaDyohDSm4= + βˆ™ SVID -----BEGIN CERTIFICATE----- +MIICGzCCAcGgAwIBAgIQH9VkLxKkYMidPIsofckRQTAKBggqhkjOPQQDAjAeMQsw +CQYDVQQGEwJVUzEPMA0GA1UEChMGU1BJRkZFMB4XDTIyMDIxMTE2MzM1MFoXDTIy +MDIxMTE3MzQwMFowHTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBVNQSVJFMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAEBRdg3LdxVAELeH+lq8wzdEJd4Gnt+m9G0Qhy +NyWoPmFUaj9vPpvOyRgzxChYnW0xpcDWihJBkq/EbusPvQB8CKOB4TCB3jAOBgNV +HQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud +EwEB/wQCMAAwHQYDVR0OBBYEFID7ARM5+vwzvnLPMO7Icfnj7l7hMB8GA1UdIwQY +MBaAFES3IzpGDqgV3QcQNgX8b/MBwyAtMF8GA1UdEQRYMFaGVHNwaWZmZTovL2V4 +YW1wbGUub3JnL25zL2RlZmF1bHQvdGFza3J1bi9jYWNoZS1pbWFnZS1waXBlbGlu +ZXJ1bi04ZHE5Yy1mZXRjaC1mcm9tLWdpdDAKBggqhkjOPQQDAgNIADBFAiEAi+LR +JkrZn93PZPslaFmcrQw3rVcEa4xKmPleSvQaBoACIF1QB+q1uwH6cNvWdbLK9g+W +T9Np18bK0xc6p5SuTM2C +-----END CERTIFICATE----- + βˆ™ commit aa79de59c4bae24e32f15fda467d02ae9cd94b01 + βˆ™ commit.sig MEQCIEJHk+8B+mCFozp0F52TQ1AadlhEo1lZNOiOnb/ht71aAiBCE0otKB1R0BktlPvweFPldfZfjG0F+NUSc2gPzhErzg== + βˆ™ url https://github.com/buildpacks/samples + βˆ™ url.sig MEUCIF0Fuxr6lv1MmkreqDKcPH3m+eXp+gY++VcxWgGCx7T1AiEA9U/tROrKuCGfKApLq2A9EModbdoGXyQXFOpAa0aMpOg= +``` + +However, the verification materials are removed from the final results as part of the TaskRun status. It is stored in the termination messages (more details below): + +``` +$ tkn tr describe cache-image-pipelinerun-8dq9c-fetch-from-git +... + +... +πŸ“ Results + NAME VALUE + βˆ™ commit aa79de59c4bae24e32f15fda467d02ae9cd94b01 + βˆ™ url https://github.com/buildpacks/samples +``` + +## Architecture Overview + +This feature relies on a SPIRE installation. This is how it integrates into the architecture of Tekton: + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” Register TaskRun Workload Identity β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ίβ”‚ β”‚ +β”‚ Tekton β”‚ β”‚ SPIRE β”‚ +β”‚ Controller │◄───────────┐ β”‚ Server β”‚ +β”‚ β”‚ β”‚ Listen on TaskRun β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”˜ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β–² β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β–² + β”‚ β”‚ β”‚ Tekton TaskRun β”‚ β”‚ + β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ + β”‚ Configureβ”‚ β–² β”‚ Attest + β”‚ Pod & β”‚ β”‚ β”‚ + + β”‚ check β”‚ β”‚ β”‚ Request + β”‚ ready β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ SVIDs + β”‚ └────►│ TaskRun β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ + β”‚ β”‚ Pod β”‚ β”‚ + β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ TaskRun Entrypointer β”‚ + β”‚ β–² Sign Result and update β”‚ + β”‚ Get β”‚ Get SVID TaskRun status with β”‚ + β”‚ SPIRE β”‚ signature + cert β”‚ + β”‚ server β”‚ β”‚ + β”‚ Credentials β”‚ β–Ό +β”Œβ”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ β”‚ +β”‚ SPIRE Agent ( Runs as ) β”‚ +β”‚ + CSI Driver ( Daemonset ) β”‚ +β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +Initial Setup: +1. As part of the SPIRE deployment, the SPIRE server attests the agents running on each node in the cluster. +1. The Tekton Controller is configured to have workload identity entry creation permissions to the SPIRE server. +1. As part of the Tekton Controller operations, the Tekton Controller will retrieve an identity that it can use to talk to the SPIRE server to register TaskRun workloads. + +When a TaskRun is created: +1. The Tekton Controller creates a TaskRun pod and its associated resources +1. When the TaskRun pod is ready, the Tekton Controller registers an identity with the information of the pod to the SPIRE server. This will tell the SPIRE server the identity of the TaskRun to use as well as how to attest the workload/pod. +1. After the TaskRun steps complete, as part of the entrypointer code, it requests an SVID from SPIFFE workload API (via the SPIRE agent socket) +1. The SPIRE agent will attest the workload and request an SVID. +1. The entrypointer receives an x509 SVID, containing the x509 certificate and associated private key. +1. The entrypointer signs the results of the TaskRun and emits the signatures and x509 certificate to the TaskRun results for later verification. + +## Enabling TaskRun result attestations + +To enable TaskRun attestations: +1. Make sure `enforce-nonfalsifiability` is set to `"spire"` in the `feature-flags` configmap, see [`install.md`](./install.md#customizing-the-pipelines-controller-behavior) for details +1. Create a SPIRE deployment containing a SPIRE server, SPIRE agents and the SPIRE CSI driver, for convenience, [this sample single cluster deployment](https://github.com/spiffe/spiffe-csi/tree/main/example/config) can be used. +1. Register the SPIRE workload entry for Tekton with the "Admin" flag, which will allow the Tekton controller to communicate with the SPIRE server to manage the TaskRun identities dynamically. + ``` + + # This example is assuming use of the above SPIRE deployment + # Example where trust domain is "example.org" and cluster name is "example-cluster" + + # Register a node alias for all nodes of which the Tekton Controller may reside + kubectl -n spire exec -it \ + deployment/spire-server -- \ + /opt/spire/bin/spire-server entry create \ + -node \ + -spiffeID spiffe://example.org/allnodes \ + -selector k8s_psat:cluster:example-cluster + + # Register the tekton controller workload to have access to creating entries in the SPIRE server + kubectl -n spire exec -it \ + deployment/spire-server -- \ + /opt/spire/bin/spire-server entry create \ + -admin \ + -spiffeID spiffe://example.org/tekton/controller \ + -parentID spiffe://example.org/allnode \ + -selector k8s:ns:tekton-pipelines \ + -selector k8s:pod-label:app:tekton-pipelines-controller \ + -selector k8s:sa:tekton-pipelines-controller + + ``` + +1. Modify the controller (`config/controller.yaml`) to provide access to the SPIRE agent socket. + ```yaml + # Add the following the volumeMounts of the "tekton-pipelines-controller" container + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + + # Add the following to the volumes of the controller pod + - name: spiffe-workload-api + csi: + driver: "csi.spiffe.io" + ``` +1. (Optional) Modify the configmap (`config/config-spire.yaml`) to configure non-default SPIRE options. + ```yaml + apiVersion: v1 + kind: ConfigMap + metadata: + name: config-spire + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + data: + # spire-trust-domain specifies the SPIRE trust domain to use. + spire-trust-domain: "example.org" + # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API. + spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock" + # spire-server-addr specifies the SPIRE server address for workload/node registration. + spire-server-addr: "spire-server.spire.svc.cluster.local:8081" + # spire-node-alias-prefix specifies the SPIRE node alias prefix to use. + spire-node-alias-prefix: "/tekton-node/" + ``` +## Sample TaskRun attestation + +The following example shows how this feature works: + +```yaml +kind: TaskRun +apiVersion: tekton.dev/v1beta1 +metadata: + name: non-falsifiable-provenance +spec: + timeout: 60s + taskSpec: + steps: + - name: non-falsifiable + image: ubuntu + script: | + #!/usr/bin/env bash + printf "%s" "hello" > "$(results.foo.path)" + printf "%s" "world" > "$(results.bar.path)" + results: + - name: foo + - name: bar +``` + + +The termination message is: +``` +message: '[{"key":"RESULT_MANIFEST","value":"foo,bar","type":1},{"key":"RESULT_MANIFEST.sig","value":"MEQCIB4grfqBkcsGuVyoQd9KUVzNZaFGN6jQOKK90p5HWHqeAiB7yZerDA+YE3Af/ALG43DQzygiBpKhTt8gzWGmpvXJFw==","type":1},{"key":"SVID","value":"-----BEGIN + CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIRALH94zAZZXdtPg97O5vG5M0wCgYIKoZIzj0EAwIwHjEL\nMAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTAeFw0yMjAzMTQxNTUzNTlaFw0y\nMjAzMTQxNjU0MDlaMB0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQKEwVTUElSRTBZMBMG\nByqGSM49AgEGCCqGSM49AwEHA0IABPLzFTDY0RDpjKb+eZCIWgUw9DViu8/pM8q7\nHMTKCzlyGqhaU80sASZfpkZvmi72w+gLszzwVI1ZNU5e7aCzbtSjgc8wgcwwDgYD\nVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\nHRMBAf8EAjAAMB0GA1UdDgQWBBSsUvspy+/Dl24pA1f+JuNVJrjgmTAfBgNVHSME\nGDAWgBSOMyOHnyLLGxPSD9RRFL+Yhm/6qzBNBgNVHREERjBEhkJzcGlmZmU6Ly9l\neGFtcGxlLm9yZy9ucy9kZWZhdWx0L3Rhc2tydW4vbm9uLWZhbHNpZmlhYmxlLXBy\nb3ZlbmFuY2UwCgYIKoZIzj0EAwIDSAAwRQIhAM4/bPAH9dyhBEj3DbwtJKMyEI56\n4DVrP97ps9QYQb23AiBiXWrQkvRYl0h4CX0lveND2yfqLrGdVL405O5NzCcUrA==\n-----END + CERTIFICATE-----\n","type":1},{"key":"bar","value":"world","type":1},{"key":"bar.sig","value":"MEUCIQDOtg+aEP1FCr6/FsHX+bY1d5abSQn2kTiUMg4Uic2lVQIgTVF5bbT/O77VxESSMtQlpBreMyw2GmKX2hYJlaOEH1M=","type":1},{"key":"foo","value":"hello","type":1},{"key":"foo.sig","value":"MEQCIBr+k0i7SRSyb4h96vQE9hhxBZiZb/2PXQqReOKJDl/rAiBrjgSsalwOvN0zgQay0xQ7PRbm5YSmI8tvKseLR8Ryww==","type":1}]' +``` + +Parsed, the fields are: +- `RESULT_MANIFEST`: List of results that should be present, to prevent pick and choose attacks +- `RESULT_MANIFEST.sig`: The signature of the result manifest +- `SVID`: The x509 certificate that will be used to verify the signature trust chain to the authority +- `*.sig`: The signature of each individual result output +``` + βˆ™ RESULT_MANIFEST foo,bar + βˆ™ RESULT_MANIFEST.sig MEQCIB4grfqBkcsGuVyoQd9KUVzNZaFGN6jQOKK90p5HWHqeAiB7yZerDA+YE3Af/ALG43DQzygiBpKhTt8gzWGmpvXJFw== + βˆ™ SVID -----BEGIN CERTIFICATE----- +MIICCjCCAbCgAwIBAgIRALH94zAZZXdtPg97O5vG5M0wCgYIKoZIzj0EAwIwHjEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBlNQSUZGRTAeFw0yMjAzMTQxNTUzNTlaFw0y +MjAzMTQxNjU0MDlaMB0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQKEwVTUElSRTBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABPLzFTDY0RDpjKb+eZCIWgUw9DViu8/pM8q7 +HMTKCzlyGqhaU80sASZfpkZvmi72w+gLszzwVI1ZNU5e7aCzbtSjgc8wgcwwDgYD +VR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV +HRMBAf8EAjAAMB0GA1UdDgQWBBSsUvspy+/Dl24pA1f+JuNVJrjgmTAfBgNVHSME +GDAWgBSOMyOHnyLLGxPSD9RRFL+Yhm/6qzBNBgNVHREERjBEhkJzcGlmZmU6Ly9l +eGFtcGxlLm9yZy9ucy9kZWZhdWx0L3Rhc2tydW4vbm9uLWZhbHNpZmlhYmxlLXBy +b3ZlbmFuY2UwCgYIKoZIzj0EAwIDSAAwRQIhAM4/bPAH9dyhBEj3DbwtJKMyEI56 +4DVrP97ps9QYQb23AiBiXWrQkvRYl0h4CX0lveND2yfqLrGdVL405O5NzCcUrA== +-----END CERTIFICATE----- + βˆ™ bar world + βˆ™ bar.sig MEUCIQDOtg+aEP1FCr6/FsHX+bY1d5abSQn2kTiUMg4Uic2lVQIgTVF5bbT/O77VxESSMtQlpBreMyw2GmKX2hYJlaOEH1M= + βˆ™ foo hello + βˆ™ foo.sig MEQCIBr+k0i7SRSyb4h96vQE9hhxBZiZb/2PXQqReOKJDl/rAiBrjgSsalwOvN0zgQay0xQ7PRbm5YSmI8tvKseLR8Ryww== +``` + + +However, the verification materials are removed from the results as part of the TaskRun status: +```console +$ tkn tr describe non-falsifiable-provenance +Name: non-falsifiable-provenance +Namespace: default +Service Account: default +Timeout: 1m0s +Labels: + app.kubernetes.io/managed-by=tekton-pipelines + +🌑️ Status + +STARTED DURATION STATUS +38 seconds ago 36 seconds Succeeded + +πŸ“ Results + + NAME VALUE + βˆ™ bar world + βˆ™ foo hello + +🦢 Steps + + NAME STATUS + βˆ™ non-falsifiable Completed +``` + +## How is the result being verified + +The signatures are being verified by the Tekton controller, the process of verification is as follows: + +- Verifying the SVID + - Obtain the trust bundle from the SPIRE server + - Verify the SVID with the trust bundle + - Verify that the SVID spiffe ID is for the correct TaskRun +- Verifying the result manifest + - Verify the content of `RESULT_MANIFEST` with the field `RESULT_MANIFEST.sig` with the SVID public key + - Verify that there is a corresponding field for all items listed in `RESULT_MANIFEST` (besides SVID and `*.sig` fields) +- Verify individual result fields + - For each of the items in the results, verify its content against its associated `.sig` field + + +## Further Details + +To learn more about SPIRE TaskRun attestations, check out the [TEP](https://github.com/tektoncd/community/blob/main/teps/0089-nonfalsifiable-provenance-support.md). \ No newline at end of file diff --git a/examples/v1beta1/pipelineruns/4808-regression.yaml b/examples/v1beta1/pipelineruns/4808-regression.yaml index df4502a8a88..4ebf63c8fca 100644 --- a/examples/v1beta1/pipelineruns/4808-regression.yaml +++ b/examples/v1beta1/pipelineruns/4808-regression.yaml @@ -92,4 +92,4 @@ spec: name: result-test params: - name: RESULT_STRING_LENGTH - value: "3000" + value: "2000" diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh index 52fd3bd8d81..5336a86826d 100755 --- a/hack/update-codegen.sh +++ b/hack/update-codegen.sh @@ -57,6 +57,11 @@ ${PREFIX}/deepcopy-gen \ --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \ -i github.com/tektoncd/pipeline/pkg/apis/config +${PREFIX}/deepcopy-gen \ + -O zz_generated.deepcopy \ + --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \ + -i github.com/tektoncd/pipeline/pkg/spire/config + ${PREFIX}/deepcopy-gen \ -O zz_generated.deepcopy \ --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \ diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go index 71dee99f42a..ef8206ea692 100644 --- a/pkg/apis/config/feature_flags.go +++ b/pkg/apis/config/feature_flags.go @@ -80,8 +80,12 @@ const ( DefaultSendCloudEventsForRuns = false // DefaultEmbeddedStatus is the default value for "embedded-status". DefaultEmbeddedStatus = FullEmbeddedStatus - // DefaultEnableSpire is the default value for "enable-spire". - DefaultEnableSpire = false + // EnforceNonfalsifiabilityWithSpire is the value used for "enable-nonfalsifiability" when SPIRE is used to enable non-falsifiability. + EnforceNonfalsifiabilityWithSpire = "spire" + // EnforceNonfalsifiabilityNone is the value used for "enable-nonfalsifiability" when non-falsifiability is not enabled. + EnforceNonfalsifiabilityNone = "" + // DefaultEnforceNonfalsifiability is the default value for "enforce-nonfalsifiability". + DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone // DefaultResourceVerificationMode is the default value for "resource-verification-mode". DefaultResourceVerificationMode = SkipResourceVerificationMode // DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status". @@ -103,7 +107,7 @@ const ( enableAPIFields = "enable-api-fields" sendCloudEventsForRuns = "send-cloudevents-for-runs" embeddedStatus = "embedded-status" - enableSpire = "enable-spire" + enforceNonfalsifiability = "enforce-nonfalsifiability" verificationMode = "resource-verification-mode" enableProvenanceInStatus = "enable-provenance-in-status" resultExtractionMethod = "results-from" @@ -125,7 +129,7 @@ type FeatureFlags struct { SendCloudEventsForRuns bool AwaitSidecarReadiness bool EmbeddedStatus string - EnableSpire bool + EnforceNonfalsifiability string ResourceVerificationMode string EnableProvenanceInStatus bool ResultExtractionMethod string @@ -142,6 +146,14 @@ func GetFeatureFlagsConfigName() string { return "feature-flags" } +func getEnforceNonfalsifiabilityValues() map[string]struct{} { + var value struct{} + return map[string]struct{}{ + EnforceNonfalsifiabilityNone: value, + EnforceNonfalsifiabilityWithSpire: value, + } +} + // NewFeatureFlagsFromMap returns a Config given a map corresponding to a ConfigMap func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { setFeature := func(key string, defaultValue bool, feature *bool) error { @@ -157,6 +169,19 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { return nil } + setStringFeature := func(key string, defaultValue string, acceptedValues map[string]struct{}, feature *string) error { + value := defaultValue + if cfg, ok := cfgMap[key]; ok { + value = strings.ToLower(cfg) + } + if _, ok := acceptedValues[value]; !ok { + *feature = defaultValue + return fmt.Errorf("invalid value for feature flag %q: %q", key, value) + } + *feature = value + return nil + } + tc := FeatureFlags{} if err := setFeature(disableAffinityAssistantKey, DefaultDisableAffinityAssistant, &tc.DisableAffinityAssistant); err != nil { return nil, err @@ -207,7 +232,7 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { if tc.EnableAPIFields == AlphaAPIFields { tc.EnableTektonOCIBundles = true tc.EnableCustomTasks = true - tc.EnableSpire = true + tc.EnforceNonfalsifiability = EnforceNonfalsifiabilityWithSpire } else { if err := setFeature(enableTektonOCIBundles, DefaultEnableTektonOciBundles, &tc.EnableTektonOCIBundles); err != nil { return nil, err @@ -215,7 +240,7 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) { if err := setFeature(enableCustomTasks, DefaultEnableCustomTasks, &tc.EnableCustomTasks); err != nil { return nil, err } - if err := setFeature(enableSpire, DefaultEnableSpire, &tc.EnableSpire); err != nil { + if err := setStringFeature(enforceNonfalsifiability, DefaultEnforceNonfalsifiability, getEnforceNonfalsifiabilityValues(), &tc.EnforceNonfalsifiability); err != nil { return nil, err } } diff --git a/pkg/apis/config/feature_flags_test.go b/pkg/apis/config/feature_flags_test.go index 4d38cb266a6..003c0f2660c 100644 --- a/pkg/apis/config/feature_flags_test.go +++ b/pkg/apis/config/feature_flags_test.go @@ -64,7 +64,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) { EnableAPIFields: "alpha", SendCloudEventsForRuns: true, EmbeddedStatus: "both", - EnableSpire: true, + EnforceNonfalsifiability: "spire", ResourceVerificationMode: "enforce", EnableProvenanceInStatus: true, ResultExtractionMethod: "termination-message", @@ -78,10 +78,9 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) { EnableAPIFields: "alpha", // These are prescribed as true by enabling "alpha" API fields, even // if the submitted text value is "false". - EnableTektonOCIBundles: true, - EnableCustomTasks: true, - EnableSpire: true, - + EnableTektonOCIBundles: true, + EnableCustomTasks: true, + EnforceNonfalsifiability: "spire", DisableAffinityAssistant: config.DefaultDisableAffinityAssistant, DisableCredsInit: config.DefaultDisableCredsInit, RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars, @@ -141,7 +140,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) { EnableAPIFields: "stable", EmbeddedStatus: "full", EnableCustomTasks: config.DefaultEnableCustomTasks, - EnableSpire: true, + EnforceNonfalsifiability: "spire", ResourceVerificationMode: config.DefaultResourceVerificationMode, RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars, AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness, @@ -149,7 +148,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) { MaxResultSize: config.DefaultMaxResultSize, CustomTaskVersion: config.DefaultCustomTaskVersion, }, - fileName: "feature-flags-enable-spire", + fileName: "feature-flags-enforce-nonfalsifiability-spire", }, { expectedConfig: &config.FeatureFlags{ @@ -189,7 +188,7 @@ func TestNewFeatureFlagsFromEmptyConfigMap(t *testing.T) { EnableAPIFields: config.DefaultEnableAPIFields, SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns, EmbeddedStatus: config.DefaultEmbeddedStatus, - EnableSpire: config.DefaultEnableSpire, + EnforceNonfalsifiability: config.DefaultEnforceNonfalsifiability, ResourceVerificationMode: config.DefaultResourceVerificationMode, EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus, ResultExtractionMethod: config.DefaultResultExtractionMethod, @@ -245,6 +244,8 @@ func TestNewFeatureFlagsConfigMapErrors(t *testing.T) { fileName: "feature-flags-invalid-max-result-size-bad-value", }, { fileName: "feature-flags-invalid-custom-task-version", + }, { + fileName: "feature-flags-enforce-nonfalsifiability-bad-flag", }} { t.Run(tc.fileName, func(t *testing.T) { cm := test.ConfigMapFromTestFile(t, tc.fileName) diff --git a/pkg/apis/config/spire_config.go b/pkg/apis/config/spire_config.go new file mode 100644 index 00000000000..7ad507f2020 --- /dev/null +++ b/pkg/apis/config/spire_config.go @@ -0,0 +1,83 @@ +/* +Copyright 2022 The Tekton Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package config + +import ( + "fmt" + "os" + + sc "github.com/tektoncd/pipeline/pkg/spire/config" + corev1 "k8s.io/api/core/v1" +) + +const ( + // SpireConfigMapName is the name of the trusted resources configmap + SpireConfigMapName = "config-spire" + + // SpireTrustDomain is the key to extract out the SPIRE trust domain to use + SpireTrustDomain = "spire-trust-domain" + // SpireSocketPath is the key to extract out the SPIRE agent socket for SPIFFE workload API + SpireSocketPath = "spire-socket-path" + // SpireServerAddr is the key to extract out the SPIRE server address for workload/node registration + SpireServerAddr = "spire-server-addr" + // SpireNodeAliasPrefix is the key to extract out the SPIRE node alias prefix to use + SpireNodeAliasPrefix = "spire-node-alias-prefix" + + // SpireTrustDomainDefault is the default value for the SpireTrustDomain + SpireTrustDomainDefault = "example.org" + // SpireSocketPathDefault is the default value for the SpireSocketPath + SpireSocketPathDefault = "unix:///spiffe-workload-api/spire-agent.sock" + // SpireServerAddrDefault is the default value for the SpireServerAddr + SpireServerAddrDefault = "spire-server.spire.svc.cluster.local:8081" + // SpireNodeAliasPrefixDefault is the default value for the SpireNodeAliasPrefix + SpireNodeAliasPrefixDefault = "/tekton-node/" +) + +// NewSpireConfigFromMap creates a Config from the supplied map +func NewSpireConfigFromMap(data map[string]string) (*sc.SpireConfig, error) { + cfg := &sc.SpireConfig{} + var ok bool + if cfg.TrustDomain, ok = data[SpireTrustDomain]; !ok { + cfg.TrustDomain = SpireTrustDomainDefault + } + if cfg.SocketPath, ok = data[SpireSocketPath]; !ok { + cfg.SocketPath = SpireSocketPathDefault + } + if cfg.ServerAddr, ok = data[SpireServerAddr]; !ok { + cfg.ServerAddr = SpireServerAddrDefault + } + if cfg.NodeAliasPrefix, ok = data[SpireNodeAliasPrefix]; !ok { + cfg.NodeAliasPrefix = SpireNodeAliasPrefixDefault + } + if err := cfg.Validate(); err != nil { + return nil, fmt.Errorf("failed to parse SPIRE configmap: %w", err) + } + return cfg, nil +} + +// NewSpireConfigFromConfigMap creates a Config from the supplied ConfigMap +func NewSpireConfigFromConfigMap(configMap *corev1.ConfigMap) (*sc.SpireConfig, error) { + return NewSpireConfigFromMap(configMap.Data) +} + +// GetSpireConfigName returns the name of Spire ConfigMap +func GetSpireConfigName() string { + if e := os.Getenv("CONFIG_SPIRE"); e != "" { + return e + } + return SpireConfigMapName +} diff --git a/pkg/apis/config/spire_config_test.go b/pkg/apis/config/spire_config_test.go new file mode 100644 index 00000000000..d6e743af4f3 --- /dev/null +++ b/pkg/apis/config/spire_config_test.go @@ -0,0 +1,70 @@ +/* +Copyright 2021 The Tekton Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package config_test + +import ( + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/tektoncd/pipeline/pkg/apis/config" + test "github.com/tektoncd/pipeline/pkg/reconciler/testing" + sc "github.com/tektoncd/pipeline/pkg/spire/config" + "github.com/tektoncd/pipeline/test/diff" +) + +func TestNewSpireConfigFromConfigMap(t *testing.T) { + type testCase struct { + want *sc.SpireConfig + fileName string + } + + testCases := []testCase{ + { + want: &sc.SpireConfig{ + TrustDomain: "test.com", + SocketPath: "unix:///test-spire-api/test-spire-agent.sock", + ServerAddr: "test-spire-server.spire.svc.cluster.local:8081", + NodeAliasPrefix: "/test-tekton-node/", + }, + fileName: config.GetSpireConfigName(), + }, + { + want: &sc.SpireConfig{ + TrustDomain: "example.org", + SocketPath: "unix:///spiffe-workload-api/spire-agent.sock", + ServerAddr: "spire-server.spire.svc.cluster.local:8081", + NodeAliasPrefix: "/tekton-node/", + }, + fileName: "config-spire-empty", + }, + } + + for _, tc := range testCases { + verifyConfigFileWithExpectedSpireConfig(t, tc.fileName, tc.want) + } +} + +func verifyConfigFileWithExpectedSpireConfig(t *testing.T, fileName string, want *sc.SpireConfig) { + cm := test.ConfigMapFromTestFile(t, fileName) + if got, err := config.NewSpireConfigFromConfigMap(cm); err == nil { + if d := cmp.Diff(got, want); d != "" { + t.Errorf("Diff:\n%s", diff.PrintWantGot(d)) + } + } else { + t.Errorf("NewSpireConfigFromConfigMap(actual) = %v", err) + } +} diff --git a/pkg/apis/config/store.go b/pkg/apis/config/store.go index 338a05c2ff9..5143d3e0b79 100644 --- a/pkg/apis/config/store.go +++ b/pkg/apis/config/store.go @@ -19,6 +19,7 @@ package config import ( "context" + sc "github.com/tektoncd/pipeline/pkg/spire/config" "knative.dev/pkg/configmap" ) @@ -33,6 +34,7 @@ type Config struct { ArtifactPVC *ArtifactPVC Metrics *Metrics TrustedResources *TrustedResources + SpireConfig *sc.SpireConfig } // FromContext extracts a Config from the provided context. @@ -56,6 +58,8 @@ func FromContextOrDefaults(ctx context.Context) *Config { artifactPVC, _ := NewArtifactPVCFromMap(map[string]string{}) metrics, _ := newMetricsFromMap(map[string]string{}) trustedresources, _ := NewTrustedResourcesConfigFromMap(map[string]string{}) + spireconfig, _ := NewSpireConfigFromMap(map[string]string{}) + return &Config{ Defaults: defaults, FeatureFlags: featureFlags, @@ -63,6 +67,7 @@ func FromContextOrDefaults(ctx context.Context) *Config { ArtifactPVC: artifactPVC, Metrics: metrics, TrustedResources: trustedresources, + SpireConfig: spireconfig, } } @@ -91,6 +96,7 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i GetArtifactPVCConfigName(): NewArtifactPVCFromConfigMap, GetMetricsConfigName(): NewMetricsFromConfigMap, GetTrustedResourcesConfigName(): NewTrustedResourcesConfigFromConfigMap, + GetSpireConfigName(): NewSpireConfigFromConfigMap, }, onAfterStore..., ), @@ -131,6 +137,10 @@ func (s *Store) Load() *Config { if trustedresources == nil { trustedresources, _ = NewTrustedResourcesConfigFromMap(map[string]string{}) } + spireconfig := s.UntypedLoad(GetSpireConfigName()) + if spireconfig == nil { + spireconfig, _ = NewSpireConfigFromMap(map[string]string{}) + } return &Config{ Defaults: defaults.(*Defaults).DeepCopy(), @@ -139,5 +149,6 @@ func (s *Store) Load() *Config { ArtifactPVC: artifactPVC.(*ArtifactPVC).DeepCopy(), Metrics: metrics.(*Metrics).DeepCopy(), TrustedResources: trustedresources.(*TrustedResources).DeepCopy(), + SpireConfig: spireconfig.(*sc.SpireConfig).DeepCopy(), } } diff --git a/pkg/apis/config/store_test.go b/pkg/apis/config/store_test.go index 3e04f19d1fe..fcb42a44d66 100644 --- a/pkg/apis/config/store_test.go +++ b/pkg/apis/config/store_test.go @@ -35,6 +35,7 @@ func TestStoreLoadWithContext(t *testing.T) { artifactPVCConfig := test.ConfigMapFromTestFile(t, "config-artifact-pvc") metricsConfig := test.ConfigMapFromTestFile(t, "config-observability") trustedresourcesConfig := test.ConfigMapFromTestFile(t, "config-trusted-resources") + spireConfig := test.ConfigMapFromTestFile(t, "config-spire") expectedDefaults, _ := config.NewDefaultsFromConfigMap(defaultConfig) expectedFeatures, _ := config.NewFeatureFlagsFromConfigMap(featuresConfig) @@ -42,6 +43,7 @@ func TestStoreLoadWithContext(t *testing.T) { expectedArtifactPVC, _ := config.NewArtifactPVCFromConfigMap(artifactPVCConfig) metrics, _ := config.NewMetricsFromConfigMap(metricsConfig) expectedTrustedResources, _ := config.NewTrustedResourcesConfigFromConfigMap(trustedresourcesConfig) + expectedSpireConfig, _ := config.NewSpireConfigFromConfigMap(spireConfig) expected := &config.Config{ Defaults: expectedDefaults, @@ -50,6 +52,7 @@ func TestStoreLoadWithContext(t *testing.T) { ArtifactPVC: expectedArtifactPVC, Metrics: metrics, TrustedResources: expectedTrustedResources, + SpireConfig: expectedSpireConfig, } store := config.NewStore(logtesting.TestLogger(t)) @@ -59,6 +62,7 @@ func TestStoreLoadWithContext(t *testing.T) { store.OnConfigChanged(artifactPVCConfig) store.OnConfigChanged(metricsConfig) store.OnConfigChanged(trustedresourcesConfig) + store.OnConfigChanged(spireConfig) cfg := config.FromContext(store.ToContext(context.Background())) @@ -74,21 +78,23 @@ func TestStoreLoadWithContext_Empty(t *testing.T) { artifactPVC, _ := config.NewArtifactPVCFromMap(map[string]string{}) metrics, _ := config.NewMetricsFromConfigMap(&corev1.ConfigMap{Data: map[string]string{}}) trustedresources, _ := config.NewTrustedResourcesConfigFromMap(map[string]string{}) + spireConfig, _ := config.NewSpireConfigFromMap(map[string]string{}) - expected := &config.Config{ + want := &config.Config{ Defaults: defaults, FeatureFlags: featureFlags, ArtifactBucket: artifactBucket, ArtifactPVC: artifactPVC, Metrics: metrics, TrustedResources: trustedresources, + SpireConfig: spireConfig, } store := config.NewStore(logtesting.TestLogger(t)) - cfg := config.FromContext(store.ToContext(context.Background())) + got := config.FromContext(store.ToContext(context.Background())) - if d := cmp.Diff(cfg, expected); d != "" { + if d := cmp.Diff(want, got); d != "" { t.Errorf("Unexpected config %s", diff.PrintWantGot(d)) } } diff --git a/pkg/apis/config/testdata/config-spire-empty.yaml b/pkg/apis/config/testdata/config-spire-empty.yaml new file mode 100644 index 00000000000..834f88ee409 --- /dev/null +++ b/pkg/apis/config/testdata/config-spire-empty.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-spire + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ diff --git a/pkg/apis/config/testdata/config-spire.yaml b/pkg/apis/config/testdata/config-spire.yaml new file mode 100644 index 00000000000..85c328242c3 --- /dev/null +++ b/pkg/apis/config/testdata/config-spire.yaml @@ -0,0 +1,31 @@ +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-spire + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # spire-trust-domain specifies the SPIRE trust domain to use. + spire-trust-domain: "test.com" + # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API. + spire-socket-path: "unix:///test-spire-api/test-spire-agent.sock" + # spire-server-addr specifies the SPIRE server address for workload/node registration. + spire-server-addr: "test-spire-server.spire.svc.cluster.local:8081" + # spire-node-alias-prefix specifies the SPIRE node alias prefix to use. + spire-node-alias-prefix: "/test-tekton-node/" diff --git a/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml b/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml index 6b0aff680a0..909594069d7 100644 --- a/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml +++ b/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml @@ -27,7 +27,7 @@ data: enable-api-fields: "alpha" send-cloudevents-for-runs: "true" embedded-status: "both" - enable-spire: "true" + enforce-nonfalsifiability: "spire" resource-verification-mode: "enforce" enable-provenance-in-status: "true" custom-task-version: "v1beta1" diff --git a/pkg/apis/config/testdata/feature-flags-enable-api-fields-overrides-bundles-and-custom-tasks.yaml b/pkg/apis/config/testdata/feature-flags-enable-api-fields-overrides-bundles-and-custom-tasks.yaml index cea578c238d..8fe445f1f00 100644 --- a/pkg/apis/config/testdata/feature-flags-enable-api-fields-overrides-bundles-and-custom-tasks.yaml +++ b/pkg/apis/config/testdata/feature-flags-enable-api-fields-overrides-bundles-and-custom-tasks.yaml @@ -6,5 +6,5 @@ metadata: data: enable-tekton-oci-bundles: "false" enable-custom-tasks: "false" - enable-spire: "false" + enforce-nonfalsifiability: "" enable-api-fields: "alpha" diff --git a/pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-bad-flag.yaml b/pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-bad-flag.yaml new file mode 100644 index 00000000000..856694bd46f --- /dev/null +++ b/pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-bad-flag.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: feature-flags + namespace: tekton-pipelines +data: + enforce-nonfalsifiability: "bad-value" diff --git a/pkg/apis/config/testdata/feature-flags-enable-spire.yaml b/pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-spire.yaml similarity index 72% rename from pkg/apis/config/testdata/feature-flags-enable-spire.yaml rename to pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-spire.yaml index ae4e99a93c6..79c69d40d93 100644 --- a/pkg/apis/config/testdata/feature-flags-enable-spire.yaml +++ b/pkg/apis/config/testdata/feature-flags-enforce-nonfalsifiability-spire.yaml @@ -4,4 +4,4 @@ metadata: name: feature-flags namespace: tekton-pipelines data: - enable-spire: "true" + enforce-nonfalsifiability: "spire" diff --git a/pkg/pod/pod.go b/pkg/pod/pod.go index 0f9a17bd9ba..d3dc844cd1c 100644 --- a/pkg/pod/pod.go +++ b/pkg/pod/pod.go @@ -31,6 +31,7 @@ import ( "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" "github.com/tektoncd/pipeline/pkg/internal/computeresources/tasklevel" "github.com/tektoncd/pipeline/pkg/names" + "github.com/tektoncd/pipeline/pkg/spire" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -122,6 +123,12 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec alphaAPIEnabled := featureFlags.EnableAPIFields == config.AlphaAPIFields sidecarLogsResultsEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.ResultExtractionMethod == config.ResultExtractionMethodSidecarLogs + // Entrypoint arg to enable or disable spire + commonExtraEntrypointArgs := []string{} + if config.FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == config.EnforceNonfalsifiabilityWithSpire { + commonExtraEntrypointArgs = append(commonExtraEntrypointArgs, "-enable_spire") + } + // Add our implicit volumes first, so they can be overridden by the user if they prefer. volumes = append(volumes, implicitVolumes...) volumeMounts = append(volumeMounts, implicitVolumeMounts...) @@ -129,7 +136,6 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec // Create Volumes and VolumeMounts for any credentials found in annotated // Secrets, along with any arguments needed by Step entrypoints to process // those secrets. - commonExtraEntrypointArgs := []string{} credEntrypointArgs, credVolumes, credVolumeMounts, err := credsInit(ctx, taskRun.Spec.ServiceAccountName, taskRun.Namespace, b.KubeClient) if err != nil { return nil, err @@ -307,6 +313,36 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec return nil, err } + readonly := true + if config.FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == config.EnforceNonfalsifiabilityWithSpire { + volumes = append(volumes, corev1.Volume{ + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, + }) + + for i := range stepContainers { + c := &stepContainers[i] + c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }) + } + for i := range initContainers { + c := &initContainers[i] + c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }) + } + } + mergedPodContainers := stepContainers // Merge sidecar containers with step containers. diff --git a/pkg/pod/pod_test.go b/pkg/pod/pod_test.go index 87000a1aea0..11b5e65ccca 100644 --- a/pkg/pod/pod_test.go +++ b/pkg/pod/pod_test.go @@ -35,6 +35,7 @@ import ( "github.com/tektoncd/pipeline/pkg/apis/pipeline" "github.com/tektoncd/pipeline/pkg/apis/pipeline/pod" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + "github.com/tektoncd/pipeline/pkg/spire" "github.com/tektoncd/pipeline/test/diff" "github.com/tektoncd/pipeline/test/names" corev1 "k8s.io/api/core/v1" @@ -87,6 +88,17 @@ func TestPodBuild(t *testing.T) { enableServiceLinks := false priorityClassName := "system-cluster-critical" taskRunName := "taskrun-name" + readonly := true + + initContainers := []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}})} + for i := range initContainers { + c := &initContainers[i] + c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }) + } for _, c := range []struct { desc string @@ -1523,7 +1535,7 @@ _EOF_ }, want: &corev1.PodSpec{ RestartPolicy: corev1.RestartPolicyNever, - InitContainers: []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}})}, + InitContainers: initContainers, Containers: []corev1.Container{{ Name: "step-name", Image: "image", @@ -1538,6 +1550,7 @@ _EOF_ "/tekton/termination", "-step_metadata_dir", "/tekton/run/0/status", + "-enable_spire", "-entrypoint", "cmd", "--", @@ -1545,6 +1558,10 @@ _EOF_ VolumeMounts: append([]corev1.VolumeMount{binROMount, runMount(0, false), downwardMount, { Name: "tekton-creds-init-home-0", MountPath: "/tekton/creds", + }, { + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, }}, implicitVolumeMounts...), TerminationMessagePath: "/tekton/termination", Env: []corev1.EnvVar{ @@ -1554,6 +1571,14 @@ _EOF_ Volumes: append(implicitVolumes, binVolume, runVolume(0), downwardVolume, corev1.Volume{ Name: "tekton-creds-init-home-0", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumMemory}}, + }, corev1.Volume{ + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, }), ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds, }, @@ -1573,7 +1598,7 @@ _EOF_ }, want: &corev1.PodSpec{ RestartPolicy: corev1.RestartPolicyNever, - InitContainers: []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}})}, + InitContainers: initContainers, Containers: []corev1.Container{{ Name: "step-name", Image: "image", @@ -1588,6 +1613,7 @@ _EOF_ "/tekton/termination", "-step_metadata_dir", "/tekton/run/0/status", + "-enable_spire", "-entrypoint", "cmd", "--", @@ -1595,6 +1621,10 @@ _EOF_ VolumeMounts: append([]corev1.VolumeMount{binROMount, runMount(0, false), downwardMount, { Name: "tekton-creds-init-home-0", MountPath: "/tekton/creds", + }, { + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, }}, implicitVolumeMounts...), TerminationMessagePath: "/tekton/termination", Env: []corev1.EnvVar{ @@ -1606,6 +1636,14 @@ _EOF_ Volumes: append(implicitVolumes, binVolume, runVolume(0), downwardVolume, corev1.Volume{ Name: "tekton-creds-init-home-0", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumMemory}}, + }, corev1.Volume{ + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, }), ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds, }, @@ -2001,9 +2039,24 @@ debug-fail-continue-heredoc-randomly-generated-mz4c7 `}, } + initContainers := []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}}), placeScriptsContainer} + readonly := true + for i := range initContainers { + c := &initContainers[i] + c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }) + } + containersVolumeMounts := append([]corev1.VolumeMount{binROMount, runMount(0, false), downwardMount, { Name: "tekton-creds-init-home-0", MountPath: "/tekton/creds", + }, { + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, }}, implicitVolumeMounts...) containersVolumeMounts = append(containersVolumeMounts, debugScriptsVolumeMount) containersVolumeMounts = append(containersVolumeMounts, corev1.VolumeMount{ @@ -2034,7 +2087,7 @@ debug-fail-continue-heredoc-randomly-generated-mz4c7 }, want: &corev1.PodSpec{ RestartPolicy: corev1.RestartPolicyNever, - InitContainers: []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}}), placeScriptsContainer}, + InitContainers: initContainers, Containers: []corev1.Container{{ Name: "step-name", Image: "image", @@ -2049,6 +2102,7 @@ debug-fail-continue-heredoc-randomly-generated-mz4c7 "/tekton/termination", "-step_metadata_dir", "/tekton/run/0/status", + "-enable_spire", "-breakpoint_on_failure", "-entrypoint", "cmd", @@ -2060,6 +2114,14 @@ debug-fail-continue-heredoc-randomly-generated-mz4c7 Volumes: append(implicitVolumes, debugScriptsVolume, debugInfoVolume, binVolume, scriptsVolume, runVolume(0), downwardVolume, corev1.Volume{ Name: "tekton-creds-init-home-0", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumMemory}}, + }, corev1.Volume{ + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, }), ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds, }, @@ -2344,6 +2406,171 @@ func TestPodBuild_TaskLevelResourceRequirements(t *testing.T) { } } +func TestPodBuildwithSpireEnabled(t *testing.T) { + initContainers := []corev1.Container{entrypointInitContainer(images.EntrypointImage, []v1beta1.Step{{Name: "name"}})} + readonly := true + for i := range initContainers { + c := &initContainers[i] + c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }) + } + + for _, c := range []struct { + desc string + trs v1beta1.TaskRunSpec + trAnnotation map[string]string + ts v1beta1.TaskSpec + want *corev1.PodSpec + wantAnnotations map[string]string + }{{ + desc: "simple with debug breakpoint onFailure", + trs: v1beta1.TaskRunSpec{ + Debug: &v1beta1.TaskRunDebug{ + Breakpoint: []string{breakpointOnFailure}, + }, + }, + ts: v1beta1.TaskSpec{ + Steps: []v1beta1.Step{{ + Name: "name", + Image: "image", + Command: []string{"cmd"}, // avoid entrypoint lookup. + }}, + }, + want: &corev1.PodSpec{ + RestartPolicy: corev1.RestartPolicyNever, + InitContainers: initContainers, + Containers: []corev1.Container{{ + Name: "step-name", + Image: "image", + Command: []string{"/tekton/bin/entrypoint"}, + Args: []string{ + "-wait_file", + "/tekton/downward/ready", + "-wait_file_content", + "-post_file", + "/tekton/run/0/out", + "-termination_path", + "/tekton/termination", + "-step_metadata_dir", + "/tekton/run/0/status", + "-enable_spire", + "-entrypoint", + "cmd", + "--", + }, + VolumeMounts: append([]corev1.VolumeMount{binROMount, runMount(0, false), downwardMount, { + Name: "tekton-creds-init-home-0", + MountPath: "/tekton/creds", + }, { + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }}, implicitVolumeMounts...), + TerminationMessagePath: "/tekton/termination", + }}, + Volumes: append(implicitVolumes, binVolume, runVolume(0), downwardVolume, corev1.Volume{ + Name: "tekton-creds-init-home-0", + VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumMemory}}, + }, corev1.Volume{ + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, + }), + ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds, + }, + }} { + t.Run(c.desc, func(t *testing.T) { + featureFlags := map[string]string{ + "enforce-nonfalsifiability": "spire", + } + names.TestingSeed() + store := config.NewStore(logtesting.TestLogger(t)) + store.OnConfigChanged( + &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()}, + Data: featureFlags, + }, + ) + kubeclient := fakek8s.NewSimpleClientset( + &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "default"}}, + &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "service-account", Namespace: "default"}, + Secrets: []corev1.ObjectReference{{ + Name: "multi-creds", + }}, + }, + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "multi-creds", + Namespace: "default", + Annotations: map[string]string{ + "tekton.dev/docker-0": "https://us.gcr.io", + "tekton.dev/docker-1": "https://docker.io", + "tekton.dev/git-0": "github.com", + "tekton.dev/git-1": "gitlab.com", + }}, + Type: "kubernetes.io/basic-auth", + Data: map[string][]byte{ + "username": []byte("foo"), + "password": []byte("BestEver"), + }, + }, + ) + var trAnnotations map[string]string + if c.trAnnotation == nil { + trAnnotations = map[string]string{ + ReleaseAnnotation: fakeVersion, + } + } else { + trAnnotations = c.trAnnotation + trAnnotations[ReleaseAnnotation] = fakeVersion + } + tr := &v1beta1.TaskRun{ + ObjectMeta: metav1.ObjectMeta{ + Name: "taskrun-name", + Namespace: "default", + Annotations: trAnnotations, + }, + Spec: c.trs, + } + + // No entrypoints should be looked up. + entrypointCache := fakeCache{} + builder := Builder{ + Images: images, + KubeClient: kubeclient, + EntrypointCache: entrypointCache, + } + + got, err := builder.Build(store.ToContext(context.Background()), tr, c.ts) + if err != nil { + t.Fatalf("builder.Build: %v", err) + } + + want := kmeta.ChildName(tr.Name, "-pod") + if d := cmp.Diff(got.Name, want); d != "" { + t.Errorf("got %v; want %v", got.Name, want) + } + + if d := cmp.Diff(c.want, &got.Spec, resourceQuantityCmp, volumeSort, volumeMountSort); d != "" { + t.Errorf("Diff %s", diff.PrintWantGot(d)) + } + + if c.wantAnnotations != nil { + if d := cmp.Diff(c.wantAnnotations, got.ObjectMeta.Annotations, cmpopts.IgnoreMapEntries(ignoreReleaseAnnotation)); d != "" { + t.Errorf("Annotation Diff(-want, +got):\n%s", d) + } + } + }) + } +} + // verifyTaskLevelComputeResources verifies that the given TaskRun's containers have the expected compute resources. func verifyTaskLevelComputeResources(expectedComputeResources []ExpectedComputeResources, containers []corev1.Container) error { if len(expectedComputeResources) != len(containers) { diff --git a/pkg/pod/status.go b/pkg/pod/status.go index 6fdcd2f7242..a68c5fb4a5d 100644 --- a/pkg/pod/status.go +++ b/pkg/pod/status.go @@ -29,6 +29,7 @@ import ( "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + "github.com/tektoncd/pipeline/pkg/spire" "github.com/tektoncd/pipeline/pkg/termination" "go.uber.org/zap" corev1 "k8s.io/api/core/v1" @@ -109,11 +110,16 @@ func SidecarsReady(podStatus corev1.PodStatus) bool { } // MakeTaskRunStatus returns a TaskRunStatus based on the Pod's status. -func MakeTaskRunStatus(ctx context.Context, logger *zap.SugaredLogger, tr v1beta1.TaskRun, pod *corev1.Pod, kubeclient kubernetes.Interface) (v1beta1.TaskRunStatus, error) { +func MakeTaskRunStatus(ctx context.Context, logger *zap.SugaredLogger, tr v1beta1.TaskRun, pod *corev1.Pod, + kubeclient kubernetes.Interface, spireEnabled bool, spireAPI spire.ControllerAPIClient) (v1beta1.TaskRunStatus, error) { trs := &tr.Status if trs.GetCondition(apis.ConditionSucceeded) == nil || trs.GetCondition(apis.ConditionSucceeded).Status == corev1.ConditionUnknown { // If the taskRunStatus doesn't exist yet, it's because we just started running markStatusRunning(trs, v1beta1.TaskRunReasonRunning.String(), "Not all Steps in the Task have finished executing") + + if spireEnabled { + markStatusSignedResultsRunning(trs) + } } sortPodContainerStatuses(pod.Status.ContainerStatuses, pod.Spec.Containers) @@ -123,7 +129,7 @@ func MakeTaskRunStatus(ctx context.Context, logger *zap.SugaredLogger, tr v1beta if complete { updateCompletedTaskRunStatus(logger, trs, pod) } else { - updateIncompleteTaskRunStatus(trs, pod) + updateIncompleteTaskRunStatus(trs, pod, spireEnabled) } trs.PodName = pod.Name @@ -141,7 +147,7 @@ func MakeTaskRunStatus(ctx context.Context, logger *zap.SugaredLogger, tr v1beta } var merr *multierror.Error - if err := setTaskRunStatusBasedOnStepStatus(ctx, logger, stepStatuses, &tr, pod.Status.Phase, kubeclient); err != nil { + if err := setTaskRunStatusBasedOnStepStatus(ctx, logger, stepStatuses, &tr, pod.Status.Phase, kubeclient, spireEnabled, spireAPI); err != nil { merr = multierror.Append(merr, err) } @@ -152,7 +158,29 @@ func MakeTaskRunStatus(ctx context.Context, logger *zap.SugaredLogger, tr v1beta return *trs, merr.ErrorOrNil() } -func setTaskRunStatusBasedOnStepStatus(ctx context.Context, logger *zap.SugaredLogger, stepStatuses []corev1.ContainerStatus, tr *v1beta1.TaskRun, podPhase corev1.PodPhase, kubeclient kubernetes.Interface) *multierror.Error { +func setTaskRunStatusBasedOnSpireVerification(ctx context.Context, logger *zap.SugaredLogger, tr *v1beta1.TaskRun, trs *v1beta1.TaskRunStatus, + filteredResults []v1beta1.PipelineResourceResult, spireAPI spire.ControllerAPIClient) { + + if tr.IsSuccessful() && spireAPI != nil && + ((tr.Status.TaskSpec != nil && len(tr.Status.TaskSpec.Results) >= 1) || len(filteredResults) >= 1) { + logger.Info("validating signed results with spire: ", trs.TaskRunResults) + if err := spireAPI.VerifyTaskRunResults(ctx, filteredResults, tr); err != nil { + logger.Errorf("failed to verify signed results with spire: %w", err) + markStatusSignedResultsFailure(trs, err.Error()) + } else { + logger.Info("successfully validated signed results with spire") + markStatusSignedResultsVerified(trs) + } + } + + // If no results and no results requested, set verified unless results were specified as part of task spec + if len(filteredResults) == 0 && (tr.Status.TaskSpec == nil || len(tr.Status.TaskSpec.Results) == 0) { + markStatusSignedResultsVerified(trs) + } +} + +func setTaskRunStatusBasedOnStepStatus(ctx context.Context, logger *zap.SugaredLogger, stepStatuses []corev1.ContainerStatus, tr *v1beta1.TaskRun, podPhase corev1.PodPhase, kubeclient kubernetes.Interface, + spireEnabled bool, spireAPI spire.ControllerAPIClient) *multierror.Error { trs := &tr.Status var merr *multierror.Error @@ -165,7 +193,7 @@ func setTaskRunStatusBasedOnStepStatus(ctx context.Context, logger *zap.SugaredL merr = multierror.Append(merr, err) } // populate task run CRD with results from sidecar logs - taskResults, pipelineResourceResults, _ := filterResultsAndResources(sidecarLogResults) + taskResults, pipelineResourceResults, _ := filterResultsAndResources(sidecarLogResults, spireEnabled) if tr.IsSuccessful() { trs.TaskRunResults = append(trs.TaskRunResults, taskResults...) trs.ResourcesResult = append(trs.ResourcesResult, pipelineResourceResults...) @@ -191,10 +219,13 @@ func setTaskRunStatusBasedOnStepStatus(ctx context.Context, logger *zap.SugaredL logger.Errorf("error extracting the exit code of step %q in taskrun %q: %v", s.Name, tr.Name, err) merr = multierror.Append(merr, err) } - taskResults, pipelineResourceResults, filteredResults := filterResultsAndResources(results) + taskResults, pipelineResourceResults, filteredResults := filterResultsAndResources(results, spireEnabled) if tr.IsSuccessful() { trs.TaskRunResults = append(trs.TaskRunResults, taskResults...) trs.ResourcesResult = append(trs.ResourcesResult, pipelineResourceResults...) + if spireEnabled { + setTaskRunStatusBasedOnSpireVerification(ctx, logger, tr, trs, filteredResults, spireAPI) + } } msg, err = createMessageFromResults(filteredResults) if err != nil { @@ -245,7 +276,8 @@ func createMessageFromResults(results []v1beta1.PipelineResourceResult) (string, return string(bytes), nil } -func filterResultsAndResources(results []v1beta1.PipelineResourceResult) ([]v1beta1.TaskRunResult, []v1beta1.PipelineResourceResult, []v1beta1.PipelineResourceResult) { +func filterResultsAndResources(results []v1beta1.PipelineResourceResult, spireEnabled bool) ([]v1beta1.TaskRunResult, []v1beta1.PipelineResourceResult, []v1beta1.PipelineResourceResult) { + var taskResults []v1beta1.TaskRunResult var pipelineResourceResults []v1beta1.PipelineResourceResult var filteredResults []v1beta1.PipelineResourceResult @@ -257,6 +289,15 @@ func filterResultsAndResources(results []v1beta1.PipelineResourceResult) ([]v1be if err != nil { continue } + // TODO(#4723): Validate that the type we inferred from aos is matching the + // TaskResult Type before setting it to the taskRunResult. + // TODO(#4723): Validate the taskrun results against taskresults for object val + if spireEnabled { + if r.Key == spire.KeySVID || r.Key == spire.KeyResultManifest || strings.HasSuffix(r.Key, spire.KeySignatureSuffix) { + filteredResults = append(filteredResults, r) + continue + } + } taskRunResult := v1beta1.TaskRunResult{ Name: r.Key, Type: v1beta1.ResultsType(v.Type), @@ -338,10 +379,13 @@ func updateCompletedTaskRunStatus(logger *zap.SugaredLogger, trs *v1beta1.TaskRu trs.CompletionTime = &metav1.Time{Time: time.Now()} } -func updateIncompleteTaskRunStatus(trs *v1beta1.TaskRunStatus, pod *corev1.Pod) { +func updateIncompleteTaskRunStatus(trs *v1beta1.TaskRunStatus, pod *corev1.Pod, spireEnabled bool) { switch pod.Status.Phase { case corev1.PodRunning: markStatusRunning(trs, v1beta1.TaskRunReasonRunning.String(), "Not all Steps in the Task have finished executing") + if spireEnabled { + markStatusSignedResultsRunning(trs) + } case corev1.PodPending: switch { case IsPodExceedingNodeResources(pod): @@ -352,6 +396,9 @@ func updateIncompleteTaskRunStatus(trs *v1beta1.TaskRunStatus, pod *corev1.Pod) markStatusRunning(trs, ReasonPullImageFailed, getWaitingMessage(pod)) default: markStatusRunning(trs, ReasonPending, getWaitingMessage(pod)) + if spireEnabled { + markStatusSignedResultsRunning(trs) + } } } } @@ -529,6 +576,36 @@ func markStatusSuccess(trs *v1beta1.TaskRunStatus) { }) } +// markStatusResultsVerified sets taskrun status to +func markStatusSignedResultsVerified(trs *v1beta1.TaskRunStatus) { + trs.SetCondition(&apis.Condition{ + Type: apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()), + Status: corev1.ConditionTrue, + Reason: v1beta1.TaskRunReasonResultsVerified.String(), + Message: "Successfully verified all spire signed taskrun results", + }) +} + +// markStatusFailure sets taskrun status to failure with specified reason +func markStatusSignedResultsFailure(trs *v1beta1.TaskRunStatus, message string) { + trs.SetCondition(&apis.Condition{ + Type: apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()), + Status: corev1.ConditionFalse, + Reason: v1beta1.TaskRunReasonsResultsVerificationFailed.String(), + Message: message, + }) +} + +// markStatusRunning sets taskrun status to running +func markStatusSignedResultsRunning(trs *v1beta1.TaskRunStatus) { + trs.SetCondition(&apis.Condition{ + Type: apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()), + Status: corev1.ConditionUnknown, + Reason: v1beta1.AwaitingTaskRunResults.String(), + Message: "Waiting upon TaskRun results and signatures to verify", + }) +} + // sortPodContainerStatuses reorders a pod's container statuses so that // they're in the same order as the step containers from the TaskSpec. func sortPodContainerStatuses(podContainerStatuses []corev1.ContainerStatus, podSpecContainers []corev1.Container) { diff --git a/pkg/pod/status_test.go b/pkg/pod/status_test.go index 771dffded5f..ddf0ceb4a88 100644 --- a/pkg/pod/status_test.go +++ b/pkg/pod/status_test.go @@ -18,7 +18,9 @@ package pod import ( "context" + "encoding/json" "fmt" + "sort" "strings" "testing" "time" @@ -29,6 +31,8 @@ import ( "github.com/tektoncd/pipeline/internal/sidecarlogresults" "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + "github.com/tektoncd/pipeline/pkg/spire" + "github.com/tektoncd/pipeline/pkg/termination" "github.com/tektoncd/pipeline/test/diff" corev1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" @@ -88,7 +92,7 @@ func TestSetTaskRunStatusBasedOnStepStatus(t *testing.T) { logger, _ := logging.NewLogger("", "status") kubeclient := fakek8s.NewSimpleClientset() - merr := setTaskRunStatusBasedOnStepStatus(context.Background(), logger, c.ContainerStatuses, &tr, corev1.PodRunning, kubeclient) + merr := setTaskRunStatusBasedOnStepStatus(context.Background(), logger, c.ContainerStatuses, &tr, corev1.PodRunning, kubeclient, false, nil) if merr != nil { t.Errorf("setTaskRunStatusBasedOnStepStatus: %s", merr) } @@ -128,7 +132,6 @@ func TestSetTaskRunStatusBasedOnStepStatus_sidecar_logs(t *testing.T) { }, }, } - logger, _ := logging.NewLogger("", "status") kubeclient := fakek8s.NewSimpleClientset() pod := &v1.Pod{ @@ -164,11 +167,399 @@ func TestSetTaskRunStatusBasedOnStepStatus_sidecar_logs(t *testing.T) { }) var wantErr *multierror.Error wantErr = multierror.Append(wantErr, c.wantErr) - merr := setTaskRunStatusBasedOnStepStatus(ctx, logger, []corev1.ContainerStatus{{}}, &tr, pod.Status.Phase, kubeclient) - + merr := setTaskRunStatusBasedOnStepStatus(ctx, logger, []corev1.ContainerStatus{{}}, &tr, pod.Status.Phase, kubeclient, false, nil) if d := cmp.Diff(wantErr.Error(), merr.Error()); d != "" { t.Errorf("Got unexpected error %s", diff.PrintWantGot(d)) } + }) + } +} + +func TestMakeTaskRunStatusVerify(t *testing.T) { + sc := &spire.MockClient{} + processConditions := cmp.Transformer("sortConditionsAndFilterMessages", func(in []apis.Condition) []apis.Condition { + for i := range in { + in[i].Message = "" + } + sort.Slice(in, func(i, j int) bool { + return in[i].Type < in[j].Type + }) + return in + }) + + terminationMessageTrans := cmp.Transformer("sortAndPrint", func(in *corev1.ContainerStateTerminated) *corev1.ContainerStateTerminated { + prs, err := termination.ParseMessage(nil, in.Message) + if err != nil { + return in + } + sort.Slice(prs, func(i, j int) bool { + return prs[i].Key < prs[j].Key + }) + + b, _ := json.Marshal(prs) + in.Message = string(b) + + return in + }) + + // test awaiting results - OK + // results + test signed termination message - OK + // results + test unsigned termination message - OK + + // no task results, no result + test signed termiantion message + // no task results, no result + test unsigned termiantion message + // force task result, no result + test unsigned termiantion message + + statusSRVUnknown := func() duckv1.Status { + status := statusRunning() + status.Conditions = append(status.Conditions, apis.Condition{ + Type: apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()), + Status: corev1.ConditionUnknown, + Reason: v1beta1.AwaitingTaskRunResults.String(), + Message: "Waiting upon TaskRun results and signatures to verify", + }) + return status + } + + statusSRVVerified := func() duckv1.Status { + status := statusSuccess() + status.Conditions = append(status.Conditions, apis.Condition{ + Type: apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()), + Status: corev1.ConditionTrue, + Reason: v1beta1.TaskRunReasonResultsVerified.String(), + Message: "Successfully verified all spire signed taskrun results", + }) + return status + } + + statusSRVUnverified := func() duckv1.Status { + status := statusSuccess() + status.Conditions = append(status.Conditions, apis.Condition{ + Type: apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()), + Status: corev1.ConditionFalse, + Reason: v1beta1.TaskRunReasonsResultsVerificationFailed.String(), + Message: "", + }) + return status + } + + for _, c := range []struct { + desc string + specifyTaskRunResult bool + resultOut []v1beta1.PipelineResourceResult + podStatus corev1.PodStatus + pod corev1.Pod + want v1beta1.TaskRunStatus + }{{ + // test awaiting results + desc: "running pod awaiting results", + podStatus: corev1.PodStatus{}, + + want: v1beta1.TaskRunStatus{ + Status: statusSRVUnknown(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{}, + Sidecars: []v1beta1.SidecarState{}, + }, + }, + }, { + desc: "test result with pipeline result without signed termination message", + podStatus: corev1.PodStatus{ + Phase: corev1.PodSucceeded, + ContainerStatuses: []corev1.ContainerStatus{{ + Name: "step-bar", + State: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: `[{"key":"resultName","value":"resultValue", "type":1}, {"key":"digest","value":"sha256:1234","resourceName":"source-image"}]`, + }, + }, + }}, + }, + want: v1beta1.TaskRunStatus{ + Status: statusSRVUnverified(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: `[{"key":"digest","value":"sha256:1234","resourceName":"source-image"},{"key":"resultName","value":"resultValue","type":1}]`, + }}, + Name: "bar", + ContainerName: "step-bar", + }}, + Sidecars: []v1beta1.SidecarState{}, + ResourcesResult: []v1beta1.PipelineResourceResult{{ + Key: "digest", + Value: "sha256:1234", + ResourceName: "source-image", + }}, + TaskRunResults: []v1beta1.TaskRunResult{{ + Name: "resultName", + Type: v1beta1.ResultsTypeString, + Value: *v1beta1.NewStructuredValues("resultValue"), + }}, + // We don't actually care about the time, just that it's not nil + CompletionTime: &metav1.Time{Time: time.Now()}, + }, + }, + }, { + desc: "test result with pipeline result with signed termination message", + resultOut: []v1beta1.PipelineResourceResult{ + { + Key: "resultName", + Value: "resultValue", + ResultType: v1beta1.TaskRunResultType, + }, + }, + podStatus: corev1.PodStatus{ + Phase: corev1.PodSucceeded, + ContainerStatuses: []corev1.ContainerStatus{{ + Name: "step-bar", + State: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: ``, + }, + }, + }}, + }, + want: v1beta1.TaskRunStatus{ + Status: statusSRVVerified(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: `to be overridden by signing`, + }}, + Name: "bar", + ContainerName: "step-bar", + }}, + Sidecars: []v1beta1.SidecarState{}, + TaskRunResults: []v1beta1.TaskRunResult{{ + Name: "resultName", + Type: v1beta1.ResultsTypeString, + Value: *v1beta1.NewStructuredValues("resultValue"), + }}, + // We don't actually care about the time, just that it's not nil + CompletionTime: &metav1.Time{Time: time.Now()}, + }, + }, + }, { + desc: "test array result with signed termination message", + resultOut: []v1beta1.PipelineResourceResult{ + { + Key: "resultName", + Value: "[\"hello\",\"world\"]", + ResultType: v1beta1.TaskRunResultType, + }, + }, + podStatus: corev1.PodStatus{ + Phase: corev1.PodSucceeded, + ContainerStatuses: []corev1.ContainerStatus{{ + Name: "step-bar", + State: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: ``, + }, + }, + }}, + }, + want: v1beta1.TaskRunStatus{ + Status: statusSRVVerified(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: `to be overridden by signing`, + }}, + Name: "bar", + ContainerName: "step-bar", + }}, + Sidecars: []v1beta1.SidecarState{}, + TaskRunResults: []v1beta1.TaskRunResult{{ + Name: "resultName", + Type: v1beta1.ResultsTypeArray, + Value: *v1beta1.NewStructuredValues("hello", "world"), + }}, + // We don't actually care about the time, just that it's not nil + CompletionTime: &metav1.Time{Time: time.Now()}, + }, + }, + }, { + desc: "test result with no result with signed termination message", + resultOut: []v1beta1.PipelineResourceResult{}, + podStatus: corev1.PodStatus{ + Phase: corev1.PodSucceeded, + ContainerStatuses: []corev1.ContainerStatus{{ + Name: "step-bar", + State: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: `to be overridden by signing`, + }, + }, + }}, + }, + want: v1beta1.TaskRunStatus{ + Status: statusSRVVerified(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: `to be overridden by signing`, + }}, + Name: "bar", + ContainerName: "step-bar", + }}, + Sidecars: []v1beta1.SidecarState{}, + // We don't actually care about the time, just that it's not nil + CompletionTime: &metav1.Time{Time: time.Now()}, + }, + }, + }, { + desc: "test result with no result without signed termination message", + podStatus: corev1.PodStatus{ + Phase: corev1.PodSucceeded, + ContainerStatuses: []corev1.ContainerStatus{{ + Name: "step-bar", + State: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: "[]", + }, + }, + }}, + }, + want: v1beta1.TaskRunStatus{ + Status: statusSRVVerified(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: "[]", + }}, + Name: "bar", + ContainerName: "step-bar", + }}, + Sidecars: []v1beta1.SidecarState{}, + // We don't actually care about the time, just that it's not nil + CompletionTime: &metav1.Time{Time: time.Now()}, + }, + }, + }, { + desc: "test result (with task run result defined) with no result without signed termination message", + specifyTaskRunResult: true, + podStatus: corev1.PodStatus{ + Phase: corev1.PodSucceeded, + ContainerStatuses: []corev1.ContainerStatus{{ + Name: "step-bar", + State: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: "[]", + }, + }, + }}, + }, + want: v1beta1.TaskRunStatus{ + Status: statusSRVUnverified(), + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + Steps: []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + Message: "[]", + }}, + Name: "bar", + ContainerName: "step-bar", + }}, + Sidecars: []v1beta1.SidecarState{}, + // We don't actually care about the time, just that it's not nil + CompletionTime: &metav1.Time{Time: time.Now()}, + }, + }, + }} { + t.Run(c.desc, func(t *testing.T) { + now := metav1.Now() + ctx := context.Background() + if cmp.Diff(c.pod, corev1.Pod{}) == "" { + c.pod = corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod", + Namespace: "foo", + CreationTimestamp: now, + }, + Status: c.podStatus, + } + } + + startTime := time.Date(2010, 1, 1, 1, 1, 1, 1, time.UTC) + tr := v1beta1.TaskRun{ + ObjectMeta: metav1.ObjectMeta{ + Name: "task-run", + Namespace: "foo", + }, + Status: v1beta1.TaskRunStatus{ + TaskRunStatusFields: v1beta1.TaskRunStatusFields{ + StartTime: &metav1.Time{Time: startTime}, + }, + }, + } + if c.specifyTaskRunResult { + // Specify result + tr.Status.TaskSpec = &v1beta1.TaskSpec{ + Results: []v1beta1.TaskResult{{ + Name: "some-task-result", + }}, + } + + c.want.TaskSpec = tr.Status.TaskSpec + } + + if err := sc.CreateEntries(ctx, &tr, &c.pod, 10000); err != nil { + t.Fatalf("unable to create entry for tr: %v", tr.Name) + } + + if c.resultOut != nil { + id := sc.GetIdentity(&tr) + for i := 0; i < 20; i++ { + sc.SignIdentities = append(sc.SignIdentities, id) + } + sigs, err := sc.Sign(ctx, c.resultOut) + if err != nil { + t.Fatalf("failed to sign: %v", err) + } + c.resultOut = append(c.resultOut, sigs...) + s, err := createMessageFromResults(c.resultOut) + if err != nil { + t.Fatalf("failed to create message from result: %v", err) + } + + c.podStatus.ContainerStatuses[0].State.Terminated.Message = s + c.want.TaskRunStatusFields.Steps[0].ContainerState.Terminated.Message = s + } + + logger, _ := logging.NewLogger("", "status") + kubeclient := fakek8s.NewSimpleClientset() + got, err := MakeTaskRunStatus(context.Background(), logger, tr, &c.pod, kubeclient, true, sc) + if err != nil { + t.Errorf("MakeTaskRunResult: %s", err) + } + + // Common traits, set for test case brevity. + c.want.PodName = "pod" + c.want.StartTime = &metav1.Time{Time: startTime} + + ensureTimeNotNil := cmp.Comparer(func(x, y *metav1.Time) bool { + if x == nil { + return y == nil + } + return y != nil + }) + if d := cmp.Diff(c.want, got, ignoreVolatileTime, ensureTimeNotNil, processConditions, terminationMessageTrans); d != "" { + t.Errorf("Diff %s", diff.PrintWantGot(d)) + } + if tr.Status.StartTime.Time != c.want.StartTime.Time { + t.Errorf("Expected TaskRun startTime to be unchanged but was %s", tr.Status.StartTime) + } + + if err := sc.DeleteEntry(ctx, &tr, &c.pod); err != nil { + t.Fatalf("unable to create entry for tr: %v", tr.Name) + } }) } @@ -1147,7 +1538,7 @@ func TestMakeTaskRunStatus(t *testing.T) { } logger, _ := logging.NewLogger("", "status") kubeclient := fakek8s.NewSimpleClientset() - got, err := MakeTaskRunStatus(context.Background(), logger, tr, &c.pod, kubeclient) + got, err := MakeTaskRunStatus(context.Background(), logger, tr, &c.pod, kubeclient, false, nil) if err != nil { t.Errorf("MakeTaskRunResult: %s", err) } @@ -1362,7 +1753,7 @@ func TestMakeTaskRunStatusAlpha(t *testing.T) { } logger, _ := logging.NewLogger("", "status") kubeclient := fakek8s.NewSimpleClientset() - got, err := MakeTaskRunStatus(context.Background(), logger, tr, &c.pod, kubeclient) + got, err := MakeTaskRunStatus(context.Background(), logger, tr, &c.pod, kubeclient, false, nil) if err != nil { t.Errorf("MakeTaskRunResult: %s", err) } @@ -1484,7 +1875,7 @@ func TestMakeRunStatusJSONError(t *testing.T) { logger, _ := logging.NewLogger("", "status") kubeclient := fakek8s.NewSimpleClientset() - gotTr, err := MakeTaskRunStatus(context.Background(), logger, tr, pod, kubeclient) + gotTr, err := MakeTaskRunStatus(context.Background(), logger, tr, pod, kubeclient, false, nil) if err == nil { t.Error("Expected error, got nil") } diff --git a/pkg/reconciler/taskrun/controller.go b/pkg/reconciler/taskrun/controller.go index 9e2b07a9044..a8bc1161b6a 100644 --- a/pkg/reconciler/taskrun/controller.go +++ b/pkg/reconciler/taskrun/controller.go @@ -32,6 +32,7 @@ import ( cloudeventclient "github.com/tektoncd/pipeline/pkg/reconciler/events/cloudevent" "github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim" resolution "github.com/tektoncd/pipeline/pkg/resolution/resource" + "github.com/tektoncd/pipeline/pkg/spire" "github.com/tektoncd/pipeline/pkg/taskrunmetrics" "k8s.io/client-go/tools/cache" "k8s.io/utils/clock" @@ -54,7 +55,8 @@ func NewController(opts *pipeline.Options, clock clock.PassiveClock) func(contex resourceInformer := resourceinformer.Get(ctx) limitrangeInformer := limitrangeinformer.Get(ctx) resolutionInformer := resolutioninformer.Get(ctx) - configStore := config.NewStore(logger.Named("config-store"), taskrunmetrics.MetricsOnStore(logger)) + spireControllerAPI := spire.GetControllerAPIClient(ctx) + configStore := config.NewStore(logger.Named("config-store"), taskrunmetrics.MetricsOnStore(logger), spire.OnStore(ctx, logger)) configStore.WatchConfigs(cmw) entrypointCache, err := pod.NewEntrypointCache(kubeclientset) @@ -66,6 +68,7 @@ func NewController(opts *pipeline.Options, clock clock.PassiveClock) func(contex KubeClientSet: kubeclientset, PipelineClientSet: pipelineclientset, Images: opts.Images, + SpireClient: spireControllerAPI, Clock: clock, taskRunLister: taskRunInformer.Lister(), resourceLister: resourceInformer.Lister(), diff --git a/pkg/reconciler/taskrun/resources/image_exporter.go b/pkg/reconciler/taskrun/resources/image_exporter.go index b03b98a277d..ee80870beb7 100644 --- a/pkg/reconciler/taskrun/resources/image_exporter.go +++ b/pkg/reconciler/taskrun/resources/image_exporter.go @@ -33,7 +33,7 @@ func AddOutputImageDigestExporter( imageDigestExporterImage string, tr *v1beta1.TaskRun, taskSpec *v1beta1.TaskSpec, - gr GetResource, + gr GetResource, spireEnabled bool, ) error { output := []*image.Resource{} @@ -80,7 +80,7 @@ func AddOutputImageDigestExporter( } augmentedSteps = append(augmentedSteps, taskSpec.Steps...) - augmentedSteps = append(augmentedSteps, imageDigestExporterStep(imageDigestExporterImage, imagesJSON)) + augmentedSteps = append(augmentedSteps, imageDigestExporterStep(imageDigestExporterImage, imagesJSON, spireEnabled)) taskSpec.Steps = augmentedSteps } @@ -89,13 +89,19 @@ func AddOutputImageDigestExporter( return nil } -func imageDigestExporterStep(imageDigestExporterImage string, imagesJSON []byte) v1beta1.Step { +func imageDigestExporterStep(imageDigestExporterImage string, imagesJSON []byte, spireEnabled bool) v1beta1.Step { + // Add extra entrypoint arg to enable or disable spire + commonExtraEntrypointArgs := []string{ + "-images", string(imagesJSON), + } + if spireEnabled { + commonExtraEntrypointArgs = append(commonExtraEntrypointArgs, "-enable_spire") + } + return v1beta1.Step{ Name: names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(imageDigestExporterContainerName), Image: imageDigestExporterImage, Command: []string{"/ko-app/imagedigestexporter"}, - Args: []string{ - "-images", string(imagesJSON), - }, + Args: commonExtraEntrypointArgs, } } diff --git a/pkg/reconciler/taskrun/resources/image_exporter_test.go b/pkg/reconciler/taskrun/resources/image_exporter_test.go index aba62bf4ab3..66b752edbb1 100644 --- a/pkg/reconciler/taskrun/resources/image_exporter_test.go +++ b/pkg/reconciler/taskrun/resources/image_exporter_test.go @@ -183,7 +183,175 @@ func TestAddOutputImageDigestExporter(t *testing.T) { }, }, nil } - err := AddOutputImageDigestExporter("override-with-imagedigest-exporter-image:latest", c.taskRun, &c.task.Spec, gr) + err := AddOutputImageDigestExporter("override-with-imagedigest-exporter-image:latest", c.taskRun, &c.task.Spec, gr, false) + if err != nil { + t.Fatalf("Failed to declare output resources for test %q: error %v", c.desc, err) + } + + if d := cmp.Diff(c.task.Spec.Steps, c.wantSteps); d != "" { + t.Fatalf("post build steps mismatch %s", diff.PrintWantGot(d)) + } + }) + } +} + +func TestAddOutputImageDigestExporterWithSpire(t *testing.T) { + for _, c := range []struct { + desc string + task *v1beta1.Task + taskRun *v1beta1.TaskRun + wantSteps []v1beta1.Step + }{{ + desc: "image resource declared as both input and output", + task: &v1beta1.Task{ + ObjectMeta: metav1.ObjectMeta{ + Name: "task1", + Namespace: "marshmallow", + }, + Spec: v1beta1.TaskSpec{ + Steps: []v1beta1.Step{{ + Name: "step1", + }}, + Resources: &v1beta1.TaskResources{ + Inputs: []v1beta1.TaskResource{{ + ResourceDeclaration: v1beta1.ResourceDeclaration{ + Name: "source-image", + Type: "image", + }, + }}, + Outputs: []v1beta1.TaskResource{{ + ResourceDeclaration: v1beta1.ResourceDeclaration{ + Name: "source-image", + Type: "image", + }, + }}, + }, + }, + }, + taskRun: &v1beta1.TaskRun{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-taskrun-run-output-steps", + Namespace: "marshmallow", + }, + Spec: v1beta1.TaskRunSpec{ + Resources: &v1beta1.TaskRunResources{ + Inputs: []v1beta1.TaskResourceBinding{{ + PipelineResourceBinding: v1beta1.PipelineResourceBinding{ + Name: "source-image", + ResourceRef: &v1beta1.PipelineResourceRef{ + Name: "source-image-1", + }, + }, + }}, + Outputs: []v1beta1.TaskResourceBinding{{ + PipelineResourceBinding: v1beta1.PipelineResourceBinding{ + Name: "source-image", + ResourceRef: &v1beta1.PipelineResourceRef{ + Name: "source-image-1", + }, + }, + }}, + }, + }, + }, + wantSteps: []v1beta1.Step{{ + Name: "step1", + }, { + Name: "image-digest-exporter-9l9zj", + Image: "override-with-imagedigest-exporter-image:latest", + Command: []string{"/ko-app/imagedigestexporter"}, + Args: []string{"-images", "[{\"name\":\"source-image\",\"type\":\"image\",\"url\":\"gcr.io/some-image-1\",\"digest\":\"\",\"OutputImageDir\":\"/workspace/output/source-image\"}]", "-enable_spire"}, + }}, + }, { + desc: "image resource in task with multiple steps", + task: &v1beta1.Task{ + ObjectMeta: metav1.ObjectMeta{ + Name: "task1", + Namespace: "marshmallow", + }, + Spec: v1beta1.TaskSpec{ + Steps: []v1beta1.Step{{ + Name: "step1", + }, { + Name: "step2", + }}, + Resources: &v1beta1.TaskResources{ + Inputs: []v1beta1.TaskResource{{ + ResourceDeclaration: v1beta1.ResourceDeclaration{ + Name: "source-image", + Type: "image", + }, + }}, + Outputs: []v1beta1.TaskResource{{ + ResourceDeclaration: v1beta1.ResourceDeclaration{ + Name: "source-image", + Type: "image", + }, + }}, + }, + }, + }, + taskRun: &v1beta1.TaskRun{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-taskrun-run-output-steps", + Namespace: "marshmallow", + }, + Spec: v1beta1.TaskRunSpec{ + Resources: &v1beta1.TaskRunResources{ + Inputs: []v1beta1.TaskResourceBinding{{ + PipelineResourceBinding: v1beta1.PipelineResourceBinding{ + Name: "source-image", + ResourceRef: &v1beta1.PipelineResourceRef{ + Name: "source-image-1", + }, + }, + }}, + Outputs: []v1beta1.TaskResourceBinding{{ + PipelineResourceBinding: v1beta1.PipelineResourceBinding{ + Name: "source-image", + ResourceRef: &v1beta1.PipelineResourceRef{ + Name: "source-image-1", + }, + }, + }}, + }, + }, + }, + wantSteps: []v1beta1.Step{{ + Name: "step1", + }, { + Name: "step2", + }, { + Name: "image-digest-exporter-9l9zj", + Image: "override-with-imagedigest-exporter-image:latest", + Command: []string{"/ko-app/imagedigestexporter"}, + Args: []string{"-images", "[{\"name\":\"source-image\",\"type\":\"image\",\"url\":\"gcr.io/some-image-1\",\"digest\":\"\",\"OutputImageDir\":\"/workspace/output/source-image\"}]", "-enable_spire"}, + }}, + }} { + t.Run(c.desc, func(t *testing.T) { + names.TestingSeed() + gr := func(n string) (*resourcev1alpha1.PipelineResource, error) { + return &resourcev1alpha1.PipelineResource{ + ObjectMeta: metav1.ObjectMeta{ + Name: "source-image-1", + Namespace: "marshmallow", + }, + Spec: resourcev1alpha1.PipelineResourceSpec{ + Type: "image", + Params: []v1beta1.ResourceParam{{ + Name: "url", + Value: "gcr.io/some-image-1", + }, { + Name: "digest", + Value: "", + }, { + Name: "OutputImageDir", + Value: "/workspace/source-image-1/index.json", + }}, + }, + }, nil + } + err := AddOutputImageDigestExporter("override-with-imagedigest-exporter-image:latest", c.taskRun, &c.task.Spec, gr, true) if err != nil { t.Fatalf("Failed to declare output resources for test %q: error %v", c.desc, err) } diff --git a/pkg/reconciler/taskrun/taskrun.go b/pkg/reconciler/taskrun/taskrun.go index 8f4940adea3..14b8e253a1b 100644 --- a/pkg/reconciler/taskrun/taskrun.go +++ b/pkg/reconciler/taskrun/taskrun.go @@ -47,6 +47,7 @@ import ( "github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim" "github.com/tektoncd/pipeline/pkg/remote" resolution "github.com/tektoncd/pipeline/pkg/resolution/resource" + "github.com/tektoncd/pipeline/pkg/spire" "github.com/tektoncd/pipeline/pkg/taskrunmetrics" _ "github.com/tektoncd/pipeline/pkg/taskrunmetrics/fake" // Make sure the taskrunmetrics are setup "github.com/tektoncd/pipeline/pkg/trustedresources" @@ -74,6 +75,7 @@ type Reconciler struct { KubeClientSet kubernetes.Interface PipelineClientSet clientset.Interface Images pipeline.Images + SpireClient spire.ControllerAPIClient Clock clock.PassiveClock // listers index properties about resources @@ -455,10 +457,11 @@ func (c *Reconciler) reconcile(ctx context.Context, tr *v1beta1.TaskRun, rtr *re defer c.durationAndCountMetrics(ctx, tr) logger := logging.FromContext(ctx) recorder := controller.GetEventRecorder(ctx) - var err error // Get the TaskRun's Pod if it should have one. Otherwise, create the Pod. var pod *corev1.Pod + var err error + spireEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == config.EnforceNonfalsifiabilityWithSpire if tr.Status.PodName != "" { pod, err = c.podLister.Pods(tr.Namespace).Get(tr.Status.PodName) @@ -534,6 +537,16 @@ func (c *Reconciler) reconcile(ctx context.Context, tr *v1beta1.TaskRun, rtr *re } if podconvert.SidecarsReady(pod.Status) { + if spireEnabled { + // TTL for the entry is in seconds + ttl := time.Duration(config.FromContextOrDefaults(ctx).Defaults.DefaultTimeoutMinutes) * time.Minute + if err = c.SpireClient.CreateEntries(ctx, tr, pod, ttl); err != nil { + logger.Errorf("Failed to create workload SPIFFE entry for taskrun %v: %v", tr.Name, err) + return err + } + logger.Infof("Created SPIFFE workload entry for %v/%v", tr.Namespace, tr.Name) + } + if err := podconvert.UpdateReady(ctx, c.KubeClientSet, *pod); err != nil { return err } @@ -543,7 +556,7 @@ func (c *Reconciler) reconcile(ctx context.Context, tr *v1beta1.TaskRun, rtr *re } // Convert the Pod's status to the equivalent TaskRun Status. - tr.Status, err = podconvert.MakeTaskRunStatus(ctx, logger, *tr, pod, c.KubeClientSet) + tr.Status, err = podconvert.MakeTaskRunStatus(ctx, logger, *tr, pod, c.KubeClientSet, spireEnabled, c.SpireClient) if err != nil { return err } @@ -553,6 +566,14 @@ func (c *Reconciler) reconcile(ctx context.Context, tr *v1beta1.TaskRun, rtr *re return err } + if spireEnabled && tr.IsDone() { + if err := c.SpireClient.DeleteEntry(ctx, tr, pod); err != nil { + logger.Infof("Failed to remove workload SPIFFE entry for taskrun %v: %v", tr.Name, err) + return err + } + logger.Infof("Deleted SPIFFE workload entry for %v/%v", tr.Namespace, tr.Name) + } + logger.Infof("Successfully reconciled taskrun %s/%s with status: %#v", tr.Name, tr.Namespace, tr.Status.GetCondition(apis.ConditionSucceeded)) return nil } @@ -718,8 +739,11 @@ func (c *Reconciler) createPod(ctx context.Context, ts *v1beta1.TaskSpec, tr *v1 return nil, err } + // check if spire is enabled to pass to ImageDigestExporter + spireEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == config.EnforceNonfalsifiabilityWithSpire + // Get actual resource - err = resources.AddOutputImageDigestExporter(c.Images.ImageDigestExporterImage, tr, ts, c.resourceLister.PipelineResources(tr.Namespace).Get) + err = resources.AddOutputImageDigestExporter(c.Images.ImageDigestExporterImage, tr, ts, c.resourceLister.PipelineResources(tr.Namespace).Get, spireEnabled) if err != nil { logger.Errorf("Failed to create a pod for taskrun: %s due to output image resource error %v", tr.Name, err) return nil, err diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go index f3c3637c429..91b930ed036 100644 --- a/pkg/reconciler/taskrun/taskrun_test.go +++ b/pkg/reconciler/taskrun/taskrun_test.go @@ -46,6 +46,7 @@ import ( ttesting "github.com/tektoncd/pipeline/pkg/reconciler/testing" "github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim" resolutioncommon "github.com/tektoncd/pipeline/pkg/resolution/common" + "github.com/tektoncd/pipeline/pkg/spire" "github.com/tektoncd/pipeline/pkg/workspace" "github.com/tektoncd/pipeline/test" "github.com/tektoncd/pipeline/test/diff" @@ -550,7 +551,7 @@ spec: image: "foo", name: "simple-step", cmd: "/mycmd", - }}), + }}, false), }, { name: "serviceaccount", taskRun: taskRunWithSaSuccess, @@ -558,7 +559,7 @@ spec: image: "foo", name: "sa-step", cmd: "/mycmd", - }}), + }}, false), }} { t.Run(tc.name, func(t *testing.T) { saName := tc.taskRun.Spec.ServiceAccountName @@ -958,7 +959,7 @@ spec: image: "foo", name: "simple-step", cmd: "/mycmd", - }}), + }}, false), }, { name: "serviceaccount", taskRun: taskRunWithSaSuccess, @@ -970,7 +971,7 @@ spec: image: "foo", name: "sa-step", cmd: "/mycmd", - }}), + }}, false), }, { name: "params", taskRun: taskRunSubstitution, @@ -1035,7 +1036,7 @@ spec: "[{\"name\":\"myimage\",\"type\":\"image\",\"url\":\"gcr.io/kristoff/sven\",\"digest\":\"\",\"OutputImageDir\":\"/workspace/output/myimage\"}]", }, }, - }), + }, false), }, { name: "taskrun-with-taskspec", taskRun: taskRunWithTaskSpec, @@ -1065,7 +1066,7 @@ spec: "--my-arg=foo", }, }, - }), + }, false), }, { name: "success-with-cluster-task", taskRun: taskRunWithClusterTask, @@ -1077,7 +1078,7 @@ spec: name: "simple-step", image: "foo", cmd: "/mycmd", - }}), + }}, false), }, { name: "taskrun-with-resource-spec-task-spec", taskRun: taskRunWithResourceSpecAndTaskSpec, @@ -1106,7 +1107,7 @@ spec: image: "ubuntu", cmd: "/mycmd", }, - }), + }, false), }, { name: "taskrun-with-pod", taskRun: taskRunWithPod, @@ -1118,7 +1119,7 @@ spec: name: "simple-step", image: "foo", cmd: "/mycmd", - }}), + }}, false), }, { name: "taskrun-with-credentials-variable-default-tekton-creds", taskRun: taskRunWithCredentialsVariable, @@ -1130,7 +1131,7 @@ spec: name: "mycontainer", image: "myimage", cmd: "/mycmd /tekton/creds", - }}), + }}, false), }, { name: "remote-task", taskRun: taskRunBundle, @@ -1142,7 +1143,7 @@ spec: name: "simple-step", image: "foo", cmd: "/mycmd", - }}), + }}, false), }} { t.Run(tc.name, func(t *testing.T) { testAssets, cancel := getTaskRunController(t, d) @@ -1204,6 +1205,7 @@ spec: func TestAlphaReconcile(t *testing.T) { names.TestingSeed() + readonly := true taskRunWithOutputConfig := parse.MustParseV1beta1TaskRun(t, ` metadata: name: test-taskrun-with-output-config @@ -1243,12 +1245,14 @@ spec: taskRunWithOutputConfig, taskRunWithOutputConfigAndWorkspace, } - cms := []*corev1.ConfigMap{{ - ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, - Data: map[string]string{ - "enable-api-fields": config.AlphaAPIFields, + cms := []*corev1.ConfigMap{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, + Data: map[string]string{ + "enable-api-fields": config.AlphaAPIFields, + }, }, - }} + } d := test.Data{ ConfigMaps: cms, TaskRuns: taskruns, @@ -1268,12 +1272,30 @@ spec: "Normal Started ", "Normal Running Not all Steps", }, - wantPod: expectedPod("test-taskrun-with-output-config-pod", "", "test-taskrun-with-output-config", "foo", config.DefaultServiceAccountValue, false, nil, []stepForExpectedPod{{ - name: "mycontainer", - image: "myimage", - stdoutPath: "stdout.txt", - cmd: "/mycmd", - }}), + wantPod: addVolumeMounts(expectedPod("test-taskrun-with-output-config-pod", "", "test-taskrun-with-output-config", "foo", config.DefaultServiceAccountValue, false, + []corev1.Volume{ + { + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, + }}, []stepForExpectedPod{{ + name: "mycontainer", + image: "myimage", + stdoutPath: "stdout.txt", + cmd: "/mycmd", + }}, true), + []corev1.VolumeMount{ + { + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }, + }, + ), }, { name: "taskrun-with-output-config-ws", taskRun: taskRunWithOutputConfigAndWorkspace, @@ -1282,22 +1304,40 @@ spec: "Normal Running Not all Steps", }, wantPod: addVolumeMounts(expectedPod("test-taskrun-with-output-config-ws-pod", "", "test-taskrun-with-output-config-ws", "foo", config.DefaultServiceAccountValue, false, - []corev1.Volume{{ - Name: "ws-9l9zj", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, + []corev1.Volume{ + { + Name: "ws-9l9zj", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, { + Name: spire.WorkloadAPI, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "csi.spiffe.io", + ReadOnly: &readonly, + }, + }, }, - }}, + }, []stepForExpectedPod{{ name: "mycontainer", image: "myimage", stdoutPath: "stdout.txt", cmd: "/mycmd", - }}), - []corev1.VolumeMount{{ - Name: "ws-9l9zj", - MountPath: "/workspace/data", - }}), + }}, true), + []corev1.VolumeMount{ + { + Name: "ws-9l9zj", + MountPath: "/workspace/data", + }, + { + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }, + }, + ), }} { t.Run(tc.name, func(t *testing.T) { testAssets, cancel := getTaskRunController(t, d) @@ -1358,8 +1398,8 @@ spec: } func addVolumeMounts(p *corev1.Pod, vms []corev1.VolumeMount) *corev1.Pod { - for i, vm := range vms { - p.Spec.Containers[i].VolumeMounts = append(p.Spec.Containers[i].VolumeMounts, vm) + for i := range p.Spec.Containers { + p.Spec.Containers[i].VolumeMounts = append(p.Spec.Containers[i].VolumeMounts, vms...) } return p } @@ -1379,8 +1419,18 @@ spec: serviceAccountName: default `) + cms := []*corev1.ConfigMap{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, + Data: map[string]string{ + "enable-api-fields": config.AlphaAPIFields, + }, + }, + } + d := test.Data{ - TaskRuns: []*v1beta1.TaskRun{tr}, + ConfigMaps: cms, + TaskRuns: []*v1beta1.TaskRun{tr}, ServiceAccounts: []*corev1.ServiceAccount{{ ObjectMeta: metav1.ObjectMeta{Name: tr.Spec.ServiceAccountName, Namespace: "foo"}, }}, @@ -1479,8 +1529,18 @@ spec: serviceAccountName: default `) + cms := []*corev1.ConfigMap{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, + Data: map[string]string{ + "enable-api-fields": config.AlphaAPIFields, + }, + }, + } + d := test.Data{ - TaskRuns: []*v1beta1.TaskRun{tr}, + ConfigMaps: cms, + TaskRuns: []*v1beta1.TaskRun{tr}, ServiceAccounts: []*corev1.ServiceAccount{{ ObjectMeta: metav1.ObjectMeta{Name: tr.Spec.ServiceAccountName, Namespace: "foo"}, }}, @@ -2425,12 +2485,14 @@ spec: d := test.Data{ TaskRuns: []*v1beta1.TaskRun{taskRun}, } - d.ConfigMaps = []*corev1.ConfigMap{{ - ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, - Data: map[string]string{ - "enable-api-fields": config.AlphaAPIFields, + d.ConfigMaps = []*corev1.ConfigMap{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, + Data: map[string]string{ + "enable-api-fields": config.AlphaAPIFields, + }, }, - }} + } testAssets, cancel := getTaskRunController(t, d) defer cancel() createServiceAccount(t, testAssets, "default", taskRun.Namespace) @@ -4663,7 +4725,7 @@ func podVolumeMounts(idx, totalSteps int) []corev1.VolumeMount { return mnts } -func podArgs(cmd string, stdoutPath string, stderrPath string, additionalArgs []string, idx int) []string { +func podArgs(cmd string, stdoutPath string, stderrPath string, additionalArgs []string, idx int, alpha bool) []string { args := []string{ "-wait_file", } @@ -4680,6 +4742,9 @@ func podArgs(cmd string, stdoutPath string, stderrPath string, additionalArgs [] "-step_metadata_dir", fmt.Sprintf("/tekton/run/%d/status", idx), ) + if alpha { + args = append(args, "-enable_spire") + } if stdoutPath != "" { args = append(args, "-stdout_path", stdoutPath) } @@ -4741,11 +4806,24 @@ type stepForExpectedPod struct { stderrPath string } -func expectedPod(podName, taskName, taskRunName, ns, saName string, isClusterTask bool, extraVolumes []corev1.Volume, steps []stepForExpectedPod) *corev1.Pod { +func expectedPod(podName, taskName, taskRunName, ns, saName string, isClusterTask bool, extraVolumes []corev1.Volume, steps []stepForExpectedPod, alpha bool) *corev1.Pod { stepNames := make([]string, 0, len(steps)) for _, s := range steps { stepNames = append(stepNames, fmt.Sprintf("step-%s", s.name)) } + + initContainers := []corev1.Container{placeToolsInitContainer(stepNames)} + if alpha { + for i := range initContainers { + c := &initContainers[i] + c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ + Name: spire.WorkloadAPI, + MountPath: spire.VolumeMountPath, + ReadOnly: true, + }) + } + } + p := &corev1.Pod{ ObjectMeta: podObjectMeta(podName, taskName, taskRunName, ns, isClusterTask), Spec: corev1.PodSpec{ @@ -4757,7 +4835,7 @@ func expectedPod(podName, taskName, taskRunName, ns, saName string, isClusterTas binVolume, downwardVolume, }, - InitContainers: []corev1.Container{placeToolsInitContainer(stepNames)}, + InitContainers: initContainers, RestartPolicy: corev1.RestartPolicyNever, ActiveDeadlineSeconds: &defaultActiveDeadlineSeconds, ServiceAccountName: saName, @@ -4778,7 +4856,7 @@ func expectedPod(podName, taskName, taskRunName, ns, saName string, isClusterTas VolumeMounts: podVolumeMounts(idx, len(steps)), TerminationMessagePath: "/tekton/termination", } - stepContainer.Args = podArgs(s.cmd, s.stdoutPath, s.stderrPath, s.args, idx) + stepContainer.Args = podArgs(s.cmd, s.stdoutPath, s.stderrPath, s.args, idx, alpha) for k, v := range s.envVars { stepContainer.Env = append(stepContainer.Env, corev1.EnvVar{ @@ -4959,12 +5037,14 @@ status: d := test.Data{ TaskRuns: taskruns, Tasks: []*v1beta1.Task{resultsTask}, - ConfigMaps: []*corev1.ConfigMap{{ - ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, - Data: map[string]string{ - "enable-api-fields": config.AlphaAPIFields, + ConfigMaps: []*corev1.ConfigMap{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: system.Namespace(), Name: config.GetFeatureFlagsConfigName()}, + Data: map[string]string{ + "enable-api-fields": config.AlphaAPIFields, + }, }, - }}, + }, } for _, tc := range []struct { name string diff --git a/pkg/spire/config/config.go b/pkg/spire/config/config.go index 5398e234f24..fb4ee1bbdc6 100644 --- a/pkg/spire/config/config.go +++ b/pkg/spire/config/config.go @@ -24,6 +24,7 @@ import ( // SpireConfig holds the images reference for a number of container images used // across tektoncd pipelines. +// +k8s:deepcopy-gen=true type SpireConfig struct { // The trust domain corresponds to the trust root of a SPIFFE identity provider. TrustDomain string @@ -61,7 +62,7 @@ func (c SpireConfig) Validate() error { } if !strings.HasPrefix(c.NodeAliasPrefix, "/") { - return fmt.Errorf("Spire node alias should start with a /") + return fmt.Errorf("spire node alias should start with a /") } return nil diff --git a/pkg/spire/config/zz_generated.deepcopy.go b/pkg/spire/config/zz_generated.deepcopy.go new file mode 100644 index 00000000000..56590eee535 --- /dev/null +++ b/pkg/spire/config/zz_generated.deepcopy.go @@ -0,0 +1,38 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright 2020 The Tekton Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package config + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpireConfig) DeepCopyInto(out *SpireConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpireConfig. +func (in *SpireConfig) DeepCopy() *SpireConfig { + if in == nil { + return nil + } + out := new(SpireConfig) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/spire/controller.go b/pkg/spire/controller.go index 410c9c2ad63..ef1d40f6c7d 100644 --- a/pkg/spire/controller.go +++ b/pkg/spire/controller.go @@ -27,8 +27,10 @@ import ( "github.com/spiffe/go-spiffe/v2/workloadapi" entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" spiffetypes "github.com/spiffe/spire-api-sdk/proto/spire/api/types" + "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" spireconfig "github.com/tektoncd/pipeline/pkg/spire/config" + "go.uber.org/zap" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" @@ -45,6 +47,22 @@ func init() { // controllerKey is a way to associate the ControllerAPIClient from inside the context.Context type controllerKey struct{} +// OnStore stores the changed spire config into the SpireClientApi +func OnStore(ctx context.Context, logger *zap.SugaredLogger) func(name string, value interface{}) { + return func(name string, value interface{}) { + if name == config.GetSpireConfigName() { + cfg, ok := value.(*spireconfig.SpireConfig) + if !ok { + logger.Error("Failed to do type assertion for extracting SPIRE config") + return + } + controllerAPIClient := GetControllerAPIClient(ctx) + controllerAPIClient.Close() + controllerAPIClient.SetConfig(*cfg) + } + } +} + // GetControllerAPIClient extracts the ControllerAPIClient from the context. func GetControllerAPIClient(ctx context.Context) ControllerAPIClient { untyped := ctx.Value(controllerKey{}) @@ -52,7 +70,7 @@ func GetControllerAPIClient(ctx context.Context) ControllerAPIClient { logging.FromContext(ctx).Errorf("Unable to fetch client from context.") return nil } - return untyped.(*spireControllerAPIClient) + return untyped.(ControllerAPIClient) } func withControllerClient(ctx context.Context, cfg *rest.Config) context.Context { @@ -297,18 +315,22 @@ func (sc *spireControllerAPIClient) Close() error { if err != nil { return err } + sc.serverConn = nil } if sc.workloadAPI != nil { err = sc.workloadAPI.Close() if err != nil { return err } + sc.workloadAPI = nil } if sc.workloadConn != nil { err = sc.workloadConn.Close() if err != nil { return err } + sc.workloadConn = nil } + sc.entryClient = nil return nil } diff --git a/pkg/spire/spire_test.go b/pkg/spire/spire_test.go index 2be0b92c551..165feb4de3a 100644 --- a/pkg/spire/spire_test.go +++ b/pkg/spire/spire_test.go @@ -23,6 +23,7 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/svid/x509svid" + pconf "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" ttesting "github.com/tektoncd/pipeline/pkg/reconciler/testing" "github.com/tektoncd/pipeline/pkg/spire/config" @@ -668,6 +669,30 @@ func TestSpire_TaskRunResultsSignTamper(t *testing.T) { } } +func TestOnStore(t *testing.T) { + ctx, _ := ttesting.SetupDefaultContext(t) + logger := logging.FromContext(ctx) + ctx = context.WithValue(ctx, controllerKey{}, &spireControllerAPIClient{ + config: &config.SpireConfig{ + TrustDomain: "before_test_domain", + SocketPath: "before_test_socket_path", + ServerAddr: "before_test_server_path", + NodeAliasPrefix: "before_test_node_alias_prefix", + }, + }) + want := config.SpireConfig{ + TrustDomain: "after_test_domain", + SocketPath: "after_test_socket_path", + ServerAddr: "after_test_server_path", + NodeAliasPrefix: "after_test_node_alias_prefix", + } + OnStore(ctx, logger)(pconf.GetSpireConfigName(), &want) + got := *GetControllerAPIClient(ctx).(*spireControllerAPIClient).config + if got != want { + t.Fatalf("test TestOnStore expected %v but got %v", got, want) + } +} + func makeX509SVIDs(ca *test.CA, ids ...spiffeid.ID) []*x509svid.SVID { svids := []*x509svid.SVID{} for _, id := range ids { diff --git a/test/controller.go b/test/controller.go index ee18bc53345..74b713ed17e 100644 --- a/test/controller.go +++ b/test/controller.go @@ -340,7 +340,7 @@ func PrependResourceVersionReactor(f *ktesting.Fake) { // EnsureConfigurationConfigMapsExist makes sure all the configmaps exists. func EnsureConfigurationConfigMapsExist(d *Data) { - var defaultsExists, featureFlagsExists, artifactBucketExists, artifactPVCExists, metricsExists, trustedresourcesExists bool + var defaultsExists, featureFlagsExists, artifactBucketExists, artifactPVCExists, metricsExists, trustedresourcesExists, spireconfigExists bool for _, cm := range d.ConfigMaps { if cm.Name == config.GetDefaultsConfigName() { defaultsExists = true @@ -360,6 +360,9 @@ func EnsureConfigurationConfigMapsExist(d *Data) { if cm.Name == config.GetTrustedResourcesConfigName() { trustedresourcesExists = true } + if cm.Name == config.GetSpireConfigName() { + spireconfigExists = true + } } if !defaultsExists { d.ConfigMaps = append(d.ConfigMaps, &corev1.ConfigMap{ @@ -397,4 +400,10 @@ func EnsureConfigurationConfigMapsExist(d *Data) { Data: map[string]string{}, }) } + if !spireconfigExists { + d.ConfigMaps = append(d.ConfigMaps, &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{Name: config.GetSpireConfigName(), Namespace: system.Namespace()}, + Data: map[string]string{}, + }) + } } diff --git a/test/controller_test.go b/test/controller_test.go index 65bd444626e..fba6e94cb7f 100644 --- a/test/controller_test.go +++ b/test/controller_test.go @@ -158,6 +158,10 @@ func TestEnsureConfigurationConfigMapsExist(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: config.GetTrustedResourcesConfigName(), Namespace: system.Namespace()}, Data: map[string]string{}, }) + expected.ConfigMaps = append(expected.ConfigMaps, &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{Name: config.GetSpireConfigName(), Namespace: system.Namespace()}, + Data: map[string]string{}, + }) EnsureConfigurationConfigMapsExist(&d) if d := cmp.Diff(expected, d); d != "" { diff --git a/test/e2e-common.sh b/test/e2e-common.sh index 66a4167e01b..28dabb9871f 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -48,6 +48,65 @@ function install_pipeline_crd_version() { verify_pipeline_installation } +function spire_apply() { + if [ $# -lt 2 -o "$1" != "-spiffeID" ]; then + echo "spire_apply requires a spiffeID as the first arg" >&2 + exit 1 + fi + show=$(kubectl exec -n spire deployment/spire-server -- \ + /opt/spire/bin/spire-server entry show $1 $2) + if [ "$show" != "Found 0 entries" ]; then + # delete to recreate + entryid=$(echo "$show" | grep "^Entry ID" | cut -f2 -d:) + kubectl exec -n spire deployment/spire-server -- \ + /opt/spire/bin/spire-server entry delete -entryID $entryid + fi + kubectl exec -n spire deployment/spire-server -- \ + /opt/spire/bin/spire-server entry create "$@" +} + +function install_spire() { + echo ">> Deploying Spire" + DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" + + echo "Creating SPIRE namespace..." + kubectl create ns spire + + echo "Applying SPIFFE CSI Driver configuration..." + kubectl apply -f "$DIR"/testdata/spire/spiffe-csi-driver.yaml + + echo "Deploying SPIRE server" + kubectl apply -f "$DIR"/testdata/spire/spire-server.yaml + + echo "Deploying SPIRE agent" + kubectl apply -f "$DIR"/testdata/spire/spire-agent.yaml + + wait_until_pods_running spire || fail_test "SPIRE did not come up" + + spire_apply \ + -spiffeID spiffe://example.org/ns/spire/node/example \ + -selector k8s_psat:cluster:example-cluster \ + -selector k8s_psat:agent_ns:spire \ + -selector k8s_psat:agent_sa:spire-agent \ + -node + spire_apply \ + -spiffeID spiffe://example.org/ns/tekton-pipelines/sa/tekton-pipelines-controller \ + -parentID spiffe://example.org/ns/spire/node/example \ + -selector k8s:ns:tekton-pipelines \ + -selector k8s:pod-label:app:tekton-pipelines-controller \ + -selector k8s:sa:tekton-pipelines-controller \ + -admin +} + +function patch_pipline_spire() { + kubectl patch \ + deployment tekton-pipelines-controller \ + -n tekton-pipelines \ + --patch-file "$DIR"/testdata/patch/pipeline-controller-spire.json + + verify_pipeline_installation +} + function verify_pipeline_installation() { # Make sure that everything is cleaned up in the current namespace. delete_pipeline_resources diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh index b553452f46c..0586eecb50a 100755 --- a/test/e2e-tests.sh +++ b/test/e2e-tests.sh @@ -40,6 +40,21 @@ header "Setting up environment" install_pipeline_crd failed=0 +function alpha_gate() { + local gate="$1" + if [ "$gate" != "alpha" ] && [ "$gate" != "stable" ] && [ "$gate" != "beta" ] ; then + printf "Invalid gate %s\n" ${gate} + exit 255 + fi + if [ "$gate" == "alpha" ] ; then + DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" + printf "Setting up environment for alpha features" + install_spire + patch_pipline_spire + kubectl apply -n tekton-pipelines -f "$DIR"/testdata/spire/config-spire.yaml + failed=0 + fi +} function set_feature_gate() { local gate="$1" @@ -91,6 +106,7 @@ function run_e2e() { fi } +alpha_gate "$PIPELINE_FEATURE_GATE" set_feature_gate "$PIPELINE_FEATURE_GATE" set_embedded_status "$EMBEDDED_STATUS_GATE" run_e2e diff --git a/test/embed_test.go b/test/embed_test.go index 893a4305bb4..9be6b1e4359 100644 --- a/test/embed_test.go +++ b/test/embed_test.go @@ -44,7 +44,12 @@ func TestTaskRun_EmbeddedResource(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + t.Parallel() knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) @@ -68,6 +73,15 @@ func TestTaskRun_EmbeddedResource(t *testing.T) { // TODO(#127) Currently we have no reliable access to logs from the TaskRun so we'll assume successful // completion of the TaskRun means the TaskRun did what it was intended. + + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + tr, err := c.V1beta1TaskRunClient.Get(ctx, embedTaskRunName, metav1.GetOptions{}) + if err != nil { + t.Errorf("Error retrieving taskrun: %s", err) + } + spireShouldPassTaskRunResultsVerify(tr, t) + } + } func getEmbeddedTask(t *testing.T, taskName, namespace string, args []string) *v1beta1.Task { diff --git a/test/entrypoint_test.go b/test/entrypoint_test.go index f2ffa7b0ab5..4514028d2fa 100644 --- a/test/entrypoint_test.go +++ b/test/entrypoint_test.go @@ -39,7 +39,12 @@ func TestEntrypointRunningStepsInOrder(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + t.Parallel() knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) @@ -70,4 +75,12 @@ spec: t.Errorf("Error waiting for TaskRun to finish successfully: %s", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + tr, err := c.V1beta1TaskRunClient.Get(ctx, epTaskRunName, metav1.GetOptions{}) + if err != nil { + t.Errorf("Error retrieving taskrun: %s", err) + } + spireShouldPassTaskRunResultsVerify(tr, t) + } + } diff --git a/test/featureflags.go b/test/featureflags.go index 59fb1d767f9..47215308dce 100644 --- a/test/featureflags.go +++ b/test/featureflags.go @@ -14,40 +14,49 @@ import ( "knative.dev/pkg/system" ) +func hasAnyGate(ctx context.Context, gates map[string]string, t *testing.T, c *clients, namespace string) (bool, string) { + featureFlagsCM, err := c.KubeClient.CoreV1().ConfigMaps(system.Namespace()).Get(ctx, config.GetFeatureFlagsConfigName(), metav1.GetOptions{}) + if err != nil { + t.Fatalf("Failed to get ConfigMap `%s`: %s", config.GetFeatureFlagsConfigName(), err) + } + resolverFeatureFlagsCM, err := c.KubeClient.CoreV1().ConfigMaps(resolverconfig.ResolversNamespace(system.Namespace())). + Get(ctx, resolverconfig.GetFeatureFlagsConfigName(), metav1.GetOptions{}) + if err != nil && !errors.IsNotFound(err) { + t.Fatalf("Failed to get ConfigMap `%s`: %s", resolverconfig.GetFeatureFlagsConfigName(), err) + } + resolverMap := make(map[string]string) + if resolverFeatureFlagsCM != nil { + resolverMap = resolverFeatureFlagsCM.Data + } + pairs := []string{} + for name, value := range gates { + actual, ok := featureFlagsCM.Data[name] + if ok && value == actual { + return true, "" + } + actual, ok = resolverMap[name] + if ok && value == actual { + return true, "" + } + pairs = append(pairs, fmt.Sprintf("%q: %q", name, value)) + } + status := fmt.Sprintf( + "No feature flag in namespace %q matching %s\nExisting feature flag: %#v\nExisting resolver feature flag (in namespace %q): %#v", + system.Namespace(), strings.Join(pairs, " or "), featureFlagsCM.Data, + resolverconfig.ResolversNamespace(system.Namespace()), resolverMap) + return false, status +} + // requireAnyGate returns a setup func that will skip the current // test if none of the feature-flags in the given map match // what's in the feature-flags ConfigMap. It will fatally fail // the test if it cannot get the feature-flag configmap. func requireAnyGate(gates map[string]string) func(context.Context, *testing.T, *clients, string) { return func(ctx context.Context, t *testing.T, c *clients, namespace string) { - featureFlagsCM, err := c.KubeClient.CoreV1().ConfigMaps(system.Namespace()).Get(ctx, config.GetFeatureFlagsConfigName(), metav1.GetOptions{}) - if err != nil { - t.Fatalf("Failed to get ConfigMap `%s`: %s", config.GetFeatureFlagsConfigName(), err) - } - resolverFeatureFlagsCM, err := c.KubeClient.CoreV1().ConfigMaps(resolverconfig.ResolversNamespace(system.Namespace())). - Get(ctx, resolverconfig.GetFeatureFlagsConfigName(), metav1.GetOptions{}) - if err != nil && !errors.IsNotFound(err) { - t.Fatalf("Failed to get ConfigMap `%s`: %s", resolverconfig.GetFeatureFlagsConfigName(), err) - } - resolverMap := make(map[string]string) - if resolverFeatureFlagsCM != nil { - resolverMap = resolverFeatureFlagsCM.Data - } - pairs := []string{} - for name, value := range gates { - actual, ok := featureFlagsCM.Data[name] - if ok && value == actual { - return - } - actual, ok = resolverMap[name] - if ok && value == actual { - return - } - pairs = append(pairs, fmt.Sprintf("%q: %q", name, value)) + exists, status := hasAnyGate(ctx, gates, t, c, namespace) + if !exists { + t.Skipf(status) } - t.Skipf("No feature flag in namespace %q matching %s\nExisting feature flag: %#v\nExisting resolver feature flag (in namespace %q): %#v", - system.Namespace(), strings.Join(pairs, " or "), featureFlagsCM.Data, - resolverconfig.ResolversNamespace(system.Namespace()), resolverMap) } } diff --git a/test/helm_task_test.go b/test/helm_task_test.go index e56ee1c4015..3f5b1d776e4 100644 --- a/test/helm_task_test.go +++ b/test/helm_task_test.go @@ -46,7 +46,12 @@ func TestHelmDeployPipelineRun(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + setupClusterBindingForHelm(ctx, c, t, namespace) var ( @@ -103,6 +108,16 @@ func TestHelmDeployPipelineRun(t *testing.T) { t.Fatalf("PipelineRun execution failed; helm may or may not have been installed :(") } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + taskrunList, err := c.V1beta1TaskRunClient.List(ctx, metav1.ListOptions{LabelSelector: "tekton.dev/pipelineRun=" + helmDeployPipelineRunName}) + if err != nil { + t.Fatalf("Error listing TaskRuns for PipelineRun %s: %s", helmDeployPipelineRunName, err) + } + for _, taskrunItem := range taskrunList.Items { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } + } + // cleanup task to remove helm releases from cluster and cluster role bindings, will not fail the test if it fails, just log knativetest.CleanupOnInterrupt(func() { helmCleanup(ctx, c, t, namespace) }, t.Logf) defer helmCleanup(ctx, c, t, namespace) diff --git a/test/hermetic_taskrun_test.go b/test/hermetic_taskrun_test.go index 72b9c208de7..f80b08ee86b 100644 --- a/test/hermetic_taskrun_test.go +++ b/test/hermetic_taskrun_test.go @@ -38,7 +38,11 @@ func TestHermeticTaskRun(t *testing.T) { ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t, requireAnyGate(map[string]string{"enable-api-fields": "alpha"})) + var c *clients + var namespace string + + c, namespace = setup(ctx, t, requireAnyGate(map[string]string{"enable-api-fields": "alpha"})) + t.Parallel() defer tearDown(ctx, t, c, namespace) @@ -67,6 +71,13 @@ func TestHermeticTaskRun(t *testing.T) { if err := WaitForTaskRunState(ctx, c, regularTaskRunName, Succeed(regularTaskRunName), "TaskRunCompleted", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun %s to finish: %s", regularTaskRunName, err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + tr, err := c.V1beta1TaskRunClient.Get(ctx, regularTaskRunName, metav1.GetOptions{}) + if err != nil { + t.Errorf("Error retrieving taskrun: %s", err) + } + spireShouldPassTaskRunResultsVerify(tr, t) + } // now, run the task mode with hermetic mode // it should fail, since it shouldn't be able to access any network @@ -79,6 +90,13 @@ func TestHermeticTaskRun(t *testing.T) { if err := WaitForTaskRunState(ctx, c, hermeticTaskRunName, Failed(hermeticTaskRunName), "Failed", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun %s to fail: %s", hermeticTaskRunName, err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + tr, err := c.V1beta1TaskRunClient.Get(ctx, hermeticTaskRunName, metav1.GetOptions{}) + if err != nil { + t.Errorf("Error retrieving taskrun: %s", err) + } + spireShouldFailTaskRunResultsVerify(tr, t) + } }) } } diff --git a/test/ignore_step_error_test.go b/test/ignore_step_error_test.go index 9b1aed8fac2..be81d8bb18c 100644 --- a/test/ignore_step_error_test.go +++ b/test/ignore_step_error_test.go @@ -36,7 +36,12 @@ func TestMissingResultWhenStepErrorIsIgnored(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -99,6 +104,10 @@ spec: t.Fatalf("task1 should have produced a result before failing the step") } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } + for _, r := range taskrunItem.Status.TaskRunResults { if r.Name == "result1" && r.Value.StringVal != "123" { t.Fatalf("task1 should have initialized a result \"result1\" to \"123\"") diff --git a/test/init_test.go b/test/init_test.go index 7089fb6715b..e413e41f4da 100644 --- a/test/init_test.go +++ b/test/init_test.go @@ -31,6 +31,7 @@ import ( "testing" "github.com/tektoncd/pipeline/pkg/apis/config" + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" "github.com/tektoncd/pipeline/pkg/names" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -46,6 +47,11 @@ import ( "sigs.k8s.io/yaml" ) +var spireFeatureGates = map[string]string{ + "enable-nonfalsifiability": "spire", + "enable-api-fields": "alpha", +} + var initMetrics sync.Once var skipRootUserTests = false @@ -319,3 +325,20 @@ func getCRDYaml(ctx context.Context, cs *clients, ns string) ([]byte, error) { return output, nil } + +// Verifies if the taskrun results should not be verified by spire +func spireShouldFailTaskRunResultsVerify(tr *v1beta1.TaskRun, t *testing.T) { + if tr.IsTaskRunResultVerified() { + t.Errorf("Taskrun `%s` status condition should not be verified as taskrun failed", tr.Name) + } + t.Logf("Taskrun `%s` status results condition verified by spire as false, which is valid", tr.Name) +} + +// Verifies if the taskrun results are verified by spire +func spireShouldPassTaskRunResultsVerify(tr *v1beta1.TaskRun, t *testing.T) { + if !tr.IsTaskRunResultVerified() { + t.Errorf("Taskrun `%s` status condition not verified. Spire taskrun results verification failure", tr.Name) + } else { + t.Logf("Taskrun `%s` status results condition verified by spire as true, which is valid", tr.Name) + } +} diff --git a/test/kaniko_task_test.go b/test/kaniko_task_test.go index 875c244b0bf..559ce472b5b 100644 --- a/test/kaniko_task_test.go +++ b/test/kaniko_task_test.go @@ -50,7 +50,11 @@ func TestKanikoTaskRun(t *testing.T) { t.Skip("Skip test as skipRootUserTests set to true") } - c, namespace := setup(ctx, t, withRegistry) + var c *clients + var namespace string + + c, namespace = setup(ctx, t, withRegistry) + t.Parallel() repo := fmt.Sprintf("registry.%s:5000/kanikotasktest", namespace) @@ -123,6 +127,10 @@ func TestKanikoTaskRun(t *testing.T) { t.Fatalf("Expected remote commit to match local revision: %s, %s", commit, revision) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(tr, t) + } + // match the local digest, which is first capture group against the remote image remoteDigest, err := getRemoteDigest(t, c, namespace, repo) if err != nil { diff --git a/test/pipelinefinally_test.go b/test/pipelinefinally_test.go index d0eeb7ca110..d7dabf795c9 100644 --- a/test/pipelinefinally_test.go +++ b/test/pipelinefinally_test.go @@ -47,7 +47,12 @@ func TestPipelineLevelFinally_OneDAGTaskFailed_InvalidTaskResult_Failure(t *test ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -260,27 +265,46 @@ spec: if !isFailed(t, n, taskrunItem.Status.Conditions) { t.Fatalf("dag task %s should have failed", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } dagTask1EndTime = taskrunItem.Status.CompletionTime case n == "dagtask2": if err := WaitForTaskRunState(ctx, c, taskrunItem.Name, TaskRunSucceed(taskrunItem.Name), "TaskRunSuccess", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun to succeed: %v", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } dagTask2EndTime = taskrunItem.Status.CompletionTime case n == "dagtask4": + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + // Skipped so status annotations should not be there. Results should not be verified as not run + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } t.Fatalf("task %s should have skipped due to when expression", n) case n == "dagtask5": if err := WaitForTaskRunState(ctx, c, taskrunItem.Name, TaskRunSucceed(taskrunItem.Name), "TaskRunSuccess", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun to succeed: %v", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case n == "finaltask1": if err := WaitForTaskRunState(ctx, c, taskrunItem.Name, TaskRunSucceed(taskrunItem.Name), "TaskRunSuccess", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun to succeed: %v", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } finalTaskStartTime = taskrunItem.Status.StartTime case n == "finaltask2": if err := WaitForTaskRunState(ctx, c, taskrunItem.Name, TaskRunSucceed(taskrunItem.Name), "TaskRunSuccess", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun to succeed: %v", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } for _, p := range taskrunItem.Spec.Params { switch param := p.Name; param { case "dagtask1-status": @@ -306,6 +330,9 @@ spec: if err := WaitForTaskRunState(ctx, c, taskrunItem.Name, TaskRunSucceed(taskrunItem.Name), "TaskRunSuccess", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun to succeed: %v", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } for _, p := range taskrunItem.Spec.Params { if p.Name == "dagtask-result" && p.Value.StringVal != "Hello" { t.Errorf("Error resolving task result reference in a finally task %s", n) @@ -315,13 +342,27 @@ spec: if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("final task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case n == "guardedfinaltaskusingdagtask5status1": if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("final task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case n == "guardedfinaltaskusingdagtask5result2": + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + // Skipped so status annotations should not be there. Results should not be verified as not run + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } t.Fatalf("final task %s should have skipped due to when expression evaluating to false", n) case n == "finaltaskconsumingdagtask1" || n == "finaltaskconsumingdagtask4" || n == "guardedfinaltaskconsumingdagtask4": + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + // Skipped so status annotations should not be there. Results should not be verified as not run + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } t.Fatalf("final task %s should have skipped due to missing task result reference", n) default: t.Fatalf("Found unexpected taskRun %s", n) @@ -397,7 +438,12 @@ func TestPipelineLevelFinally_OneFinalTaskFailed_Failure(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -451,10 +497,16 @@ spec: if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("dag task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case n == "finaltask1": if !isFailed(t, n, taskrunItem.Status.Conditions) { t.Fatalf("final task %s should have failed", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } default: t.Fatalf("TaskRuns were not found for both final and dag tasks") } @@ -465,7 +517,12 @@ func TestPipelineLevelFinally_OneFinalTask_CancelledRunFinally(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t, requireAlphaFeatureFlags) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t, requireAlphaFeatureFlags) + knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -562,13 +619,25 @@ spec: if !isCancelled(t, n, taskrunItem.Status.Conditions) { t.Fatalf("dag task %s should have been cancelled", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } case "dagtask2": + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } t.Fatalf("second dag task %s should be skipped as it depends on the result from cancelled 'dagtask1'", n) case "finaltask1": if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("first final task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case "finaltask2": + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } t.Fatalf("second final task %s should be skipped as it depends on the result from cancelled 'dagtask1'", n) default: t.Fatalf("TaskRuns were not found for both final and dag tasks") @@ -580,7 +649,12 @@ func TestPipelineLevelFinally_OneFinalTask_StoppedRunFinally(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t, requireAlphaFeatureFlags) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t, requireAlphaFeatureFlags) + knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -677,14 +751,23 @@ spec: if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("dag task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case "finaltask1": if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("first final task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } case "finaltask2": if !isSuccessful(t, n, taskrunItem.Status.Conditions) { t.Fatalf("second final task %s should have succeeded", n) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } default: t.Fatalf("TaskRuns were not found for both final and dag tasks") } diff --git a/test/pipelinerun_test.go b/test/pipelinerun_test.go index d82fd09412f..f20416b8660 100644 --- a/test/pipelinerun_test.go +++ b/test/pipelinerun_test.go @@ -315,7 +315,11 @@ spec: ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -347,6 +351,9 @@ spec: if strings.HasPrefix(actualTaskRunItem.Name, taskRunName) { taskRunName = actualTaskRunItem.Name } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(&actualTaskRunItem, t) + } } expectedTaskRunNames = append(expectedTaskRunNames, taskRunName) r, err := c.V1beta1TaskRunClient.Get(ctx, taskRunName, metav1.GetOptions{}) @@ -451,7 +458,11 @@ func TestPipelineRunRefDeleted(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -515,6 +526,16 @@ spec: t.Fatalf("Error waiting for PipelineRun %s to finish: %s", prName, err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + taskrunList, err := c.V1beta1TaskRunClient.List(ctx, metav1.ListOptions{LabelSelector: "tekton.dev/pipelineRun=" + prName}) + if err != nil { + t.Fatalf("Error listing TaskRuns for PipelineRun %s: %s", prName, err) + } + for _, taskrunItem := range taskrunList.Items { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } + } + } // TestPipelineRunPending tests that a Pending PipelineRun is not run until the pending @@ -525,7 +546,11 @@ func TestPipelineRunPending(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) defer tearDown(ctx, t, c, namespace) @@ -601,6 +626,15 @@ spec: if err := WaitForPipelineRunState(ctx, c, prName, timeout, PipelineRunSucceed(prName), "PipelineRunSuccess", v1beta1Version); err != nil { t.Fatalf("Error waiting for PipelineRun %s to finish: %s", prName, err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + taskrunList, err := c.V1beta1TaskRunClient.List(ctx, metav1.ListOptions{LabelSelector: "tekton.dev/pipelineRun=" + prName}) + if err != nil { + t.Fatalf("Error listing TaskRuns for PipelineRun %s: %s", prName, err) + } + for _, taskrunItem := range taskrunList.Items { + spireShouldPassTaskRunResultsVerify(&taskrunItem, t) + } + } } func getFanInFanOutTasks(t *testing.T, namespace string) map[string]*v1beta1.Task { diff --git a/test/status_test.go b/test/status_test.go index f8dc6ecdab3..66d68df7145 100644 --- a/test/status_test.go +++ b/test/status_test.go @@ -54,7 +54,12 @@ func TestTaskRunPipelineRunStatus(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + t.Parallel() knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) @@ -88,6 +93,14 @@ spec: t.Errorf("Error waiting for TaskRun to finish: %s", err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + tr, err := c.V1beta1TaskRunClient.Get(ctx, taskRun.Name, metav1.GetOptions{}) + if err != nil { + t.Errorf("Error retrieving taskrun: %s", err) + } + spireShouldFailTaskRunResultsVerify(tr, t) + } + pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: %s @@ -114,6 +127,17 @@ spec: if err := WaitForPipelineRunState(ctx, c, pipelineRun.Name, timeout, PipelineRunFailed(pipelineRun.Name), "BuildValidationFailed", v1beta1Version); err != nil { t.Errorf("Error waiting for TaskRun to finish: %s", err) } + + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + taskrunList, err := c.V1beta1TaskRunClient.List(ctx, metav1.ListOptions{LabelSelector: "tekton.dev/pipelineRun=" + pipelineRun.Name}) + if err != nil { + t.Fatalf("Error listing TaskRuns for PipelineRun %s: %s", pipelineRun.Name, err) + } + for _, taskrunItem := range taskrunList.Items { + spireShouldFailTaskRunResultsVerify(&taskrunItem, t) + } + } + } // TestProvenanceFieldInPipelineRunTaskRunStatus is an integration test that will diff --git a/test/taskrun_test.go b/test/taskrun_test.go index fb05ba2a755..c7ce5bb30db 100644 --- a/test/taskrun_test.go +++ b/test/taskrun_test.go @@ -21,12 +21,14 @@ package test import ( "context" + "encoding/json" "fmt" "regexp" "strings" "testing" "github.com/tektoncd/pipeline/test/parse" + jsonpatch "gomodules.xyz/jsonpatch/v2" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" @@ -34,6 +36,7 @@ import ( "github.com/tektoncd/pipeline/pkg/pod" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" knativetest "knative.dev/pkg/test" "knative.dev/pkg/test/helpers" ) @@ -43,7 +46,11 @@ func TestTaskRunFailure(t *testing.T) { ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + t.Parallel() knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) @@ -93,6 +100,10 @@ spec: t.Fatalf("Couldn't get expected TaskRun %s: %s", taskRunName, err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(taskrun, t) + } + expectedStepState := []v1beta1.StepState{{ ContainerState: corev1.ContainerState{ Terminated: &corev1.ContainerStateTerminated{ @@ -139,7 +150,12 @@ func TestTaskRunStatus(t *testing.T) { ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() - c, namespace := setup(ctx, t) + + var c *clients + var namespace string + + c, namespace = setup(ctx, t) + t.Parallel() knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) @@ -185,6 +201,10 @@ spec: t.Fatalf("Couldn't get expected TaskRun %s: %s", taskRunName, err) } + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldPassTaskRunResultsVerify(taskrun, t) + } + expectedStepState := []v1beta1.StepState{{ ContainerState: corev1.ContainerState{ Terminated: &corev1.ContainerStateTerminated{ @@ -210,3 +230,105 @@ spec: t.Fatalf("-got, +want: %v", d) } } + +// TestTaskRunModification is an exclusive test for SPIRE integration into taskrun. +// The test starts a taskrun which has a sleep. While the taskrun is "sleep"ing, +// the text modifies the taskrun results. +// This change is caught by the taskrun reconciler when it tries to verify the results. +func TestTaskRunModification(t *testing.T) { + ctx := context.Background() + ctx, cancel := context.WithCancel(ctx) + defer cancel() + + var c *clients + var namespace string + + c, namespace = setup(ctx, t, requireAnyGate(spireFeatureGates)) + + knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf) + defer tearDown(ctx, t, c, namespace) + + taskRunName := "non-falsifiable-provenance" + + t.Logf("Creating Task and TaskRun in namespace %s", namespace) + task := parse.MustParseV1beta1Task(t, fmt.Sprintf(` +metadata: + name: non-falsifiable + namespace: %s +spec: + steps: + - image: ubuntu + script: | + #!/usr/bin/env bash + sleep 20 + printf "hello" > "$(results.foo.path)" + printf "world" > "$(results.bar.path)" + results: + - name: foo + - name: bar +`, namespace)) + if _, err := c.V1beta1TaskClient.Create(ctx, task, metav1.CreateOptions{}); err != nil { + t.Fatalf("Failed to create Task: %s", err) + } + taskRun := parse.MustParseV1beta1TaskRun(t, fmt.Sprintf(` +metadata: + name: %s + namespace: %s +spec: + taskRef: + name: non-falsifiable +`, taskRunName, namespace)) + if _, err := c.V1beta1TaskRunClient.Create(ctx, taskRun, metav1.CreateOptions{}); err != nil { + t.Fatalf("Failed to create TaskRun: %s", err) + } + + t.Logf("Waiting for TaskRun in namespace %s to be in running state", namespace) + if err := WaitForTaskRunState(ctx, c, taskRunName, Running(taskRunName), "TaskRunRunning", v1beta1Version); err != nil { + t.Errorf("Error waiting for TaskRun to start running: %s", err) + } + + patches := []jsonpatch.JsonPatchOperation{{ + Operation: "replace", + Path: "/status/taskSpec/steps/0/image", + Value: "not-ubuntu", + }} + patchBytes, err := json.Marshal(patches) + if err != nil { + t.Fatalf("failed to marshal patch bytes in order to stop") + } + t.Logf("Patching TaskRun %s in namespace %s mid run for spire to catch the un-authorized changed", taskRunName, namespace) + if _, err := c.V1beta1TaskRunClient.Patch(ctx, taskRunName, types.JSONPatchType, patchBytes, metav1.PatchOptions{}, "status"); err != nil { + t.Fatalf("Failed to patch taskrun `%s`: %s", taskRunName, err) + } + + t.Logf("Waiting for TaskRun %s in namespace %s to succeed", taskRunName, namespace) + if err := WaitForTaskRunState(ctx, c, taskRunName, TaskRunFailed(taskRunName), "TaskRunFailed", v1beta1Version); err != nil { + t.Errorf("Error waiting for TaskRun to finish: %s", err) + } + + taskrun, err := c.V1beta1TaskRunClient.Get(ctx, taskRunName, metav1.GetOptions{}) + if err != nil { + t.Fatalf("Couldn't get expected TaskRun %s: %s", taskRunName, err) + } + + if spireEnabled, _ := hasAnyGate(ctx, spireFeatureGates, t, c, namespace); spireEnabled { + spireShouldFailTaskRunResultsVerify(taskrun, t) + } + + expectedStepState := []v1beta1.StepState{{ + ContainerState: corev1.ContainerState{ + Terminated: &corev1.ContainerStateTerminated{ + ExitCode: 1, + Reason: "Error", + }, + }, + Name: "unnamed-0", + ContainerName: "step-unnamed-0", + }} + + ignoreTerminatedFields := cmpopts.IgnoreFields(corev1.ContainerStateTerminated{}, "StartedAt", "FinishedAt", "ContainerID") + ignoreStepFields := cmpopts.IgnoreFields(v1beta1.StepState{}, "ImageID") + if d := cmp.Diff(taskrun.Status.Steps, expectedStepState, ignoreTerminatedFields, ignoreStepFields); d != "" { + t.Fatalf("-got, +want: %v", d) + } +} diff --git a/test/testdata/patch/pipeline-controller-spire.json b/test/testdata/patch/pipeline-controller-spire.json new file mode 100644 index 00000000000..6c08f20dfe9 --- /dev/null +++ b/test/testdata/patch/pipeline-controller-spire.json @@ -0,0 +1,56 @@ +{ + "spec":{ + "template":{ + "spec":{ + "$setElementOrder/containers":[ + { + "name":"tekton-pipelines-controller" + } + ], + "$setElementOrder/volumes":[ + { + "name":"config-logging" + }, + { + "name":"config-registry-cert" + }, + { + "name":"spiffe-workload-api" + } + ], + "containers":[ + { + "$setElementOrder/volumeMounts":[ + { + "mountPath":"/etc/config-logging" + }, + { + "mountPath":"/etc/config-registry-cert" + }, + { + "mountPath":"/spiffe-workload-api" + } + ], + "name":"tekton-pipelines-controller", + "volumeMounts":[ + { + "mountPath":"/spiffe-workload-api", + "name":"spiffe-workload-api", + "readOnly":true + } + ] + } + ], + "volumes":[ + { + "csi":{ + "driver":"csi.spiffe.io", + "readOnly":true + }, + "name":"spiffe-workload-api" + } + ] + } + } + } +} diff --git a/test/testdata/spire/config-spire.yaml b/test/testdata/spire/config-spire.yaml new file mode 100644 index 00000000000..30837a0e65d --- /dev/null +++ b/test/testdata/spire/config-spire.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-spire + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # spire-trust-domain specifies the SPIRE trust domain to use. + spire-trust-domain: "example.org" + # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API. + spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock" + # spire-server-addr specifies the SPIRE server address for workload/node registration. + spire-server-addr: "spire-server.spire.svc.cluster.local:8081" + # spire-node-alias-prefix specifies the SPIRE node alias prefix to use. + spire-node-alias-prefix: "/tekton-node/" \ No newline at end of file diff --git a/test/testdata/spire/spiffe-csi-driver.yaml b/test/testdata/spire/spiffe-csi-driver.yaml new file mode 100644 index 00000000000..e9d07bc5683 --- /dev/null +++ b/test/testdata/spire/spiffe-csi-driver.yaml @@ -0,0 +1,20 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral diff --git a/test/testdata/spire/spire-agent.yaml b/test/testdata/spire/spire-agent.yaml new file mode 100644 index 00000000000..4e848a51388 --- /dev/null +++ b/test/testdata/spire/spire-agent.yaml @@ -0,0 +1,208 @@ +# ServiceAccount for the SPIRE agent +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire + +--- + +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: +- apiGroups: [""] + resources: ["pods", "nodes", "nodes/proxy"] + verbs: ["get"] + +--- + +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io + + +--- + +# ConfigMap for the SPIRE agent featuring: +# 1) PSAT node attestation +# 2) K8S Workload Attestation over the secure kubelet port +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/spire-agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "example-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + skip_kubelet_verification = true + } + } + } + +--- + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire + labels: + app: spire-agent +spec: + selector: + matchLabels: + app: spire-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + namespace: spire + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.1.1 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-token + mountPath: /var/run/secrets/tokens + - name: spire-agent-socket-dir + mountPath: /run/spire/sockets + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:nightly + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + # This volume is used to share the Workload API socket between the CSI + # driver and SPIRE agent. Note, an emptyDir volume could also be used, + # however, this can lead to broken bind mounts in the workload + # containers if the agent pod is restarted (since the emptyDir + # directory on the node that was mounted into workload containers by + # the CSI driver belongs to the old pod instance and is no longer + # valid). + - name: spire-agent-socket-dir + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory diff --git a/test/testdata/spire/spire-server.yaml b/test/testdata/spire/spire-server.yaml new file mode 100644 index 00000000000..ceec824613d --- /dev/null +++ b/test/testdata/spire/spire-server.yaml @@ -0,0 +1,211 @@ +# ServiceAccount used by the SPIRE server. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire + +--- + +# Required cluster role to allow spire-server to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + # allow TokenReview requests (to verify service account tokens for PSAT + # attestation) +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["get", "create"] + +--- + +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding + namespace: spire +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- + +# Role for the SPIRE server +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: spire + name: spire-server-role +rules: + # allow "get" access to pods (to resolve selectors for PSAT attestation) +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE + # agent bootstrapping, see the spire-bundle ConfigMap below) +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["spire-bundle"] + verbs: ["get", "patch"] + +--- + +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role-binding + namespace: spire +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io + +--- + +# ConfigMap containing the latest trust bundle for the trust domain. It is +# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount +# this config map and use the certificate to bootstrap trust with the SPIRE +# server during attestation. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire + +--- + +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/run/spire/data" + log_level = "DEBUG" + default_svid_ttl = "1h" + ca_ttl = "12h" + ca_subject { + country = ["US"] + organization = ["SPIFFE"] + common_name = "" + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + "example-cluster" = { + service_account_allow_list = ["spire:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + # This plugin updates the bundle.crt value in the spire:spire-bundle + # ConfigMap by default, so no additional configuration is necessary. + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: ghcr.io/spiffe/spire-server:1.1.1 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/server.conf"] + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + volumes: + - name: spire-config + configMap: + name: spire-server + +--- + +# Service definition for SPIRE server defining the gRPC port. +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire +spec: + type: NodePort + ports: + - name: grpc + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server